[arch-projects] [dbscripts][PATCH] Prepare to sign repo databases
Allan McRae
allan at archlinux.org
Sat Nov 2 21:19:40 EDT 2013
Add function to sign repo database. Enabling signing requires setting
SIGN_DB to true and adding the key ID to DB_KEY. The DB_KEY is restricted
from signing package files.
Signed-off-by: Allan McRae <allan at archlinux.org>
---
config | 3 +++
db-functions | 17 ++++++++++++++++-
db-move | 6 ++++++
db-remove | 1 +
db-repo-add | 1 +
db-repo-remove | 1 +
db-update | 1 +
testing2x | 2 ++
8 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/config b/config
index d1413cc..2069565 100644
--- a/config
+++ b/config
@@ -20,6 +20,9 @@ SOURCE_CLEANUP_KEEP=14
REQUIRE_SIGNATURE=true
MASTER_KEYS=('6AC6A4C2' '824B18E8' '4C7EA887' 'FFF979E7' 'CDFD6BB0')
+SIGN_DB=false
+DB_KEY=''
+
LOCK_DELAY=10
LOCK_TIMEOUT=300
diff --git a/db-functions b/db-functions
index 26e6825..bbbee25 100644
--- a/db-functions
+++ b/db-functions
@@ -227,6 +227,21 @@ repo_unlock () { #repo_unlock <repo-name> <arch>
fi
}
+# sign_db <repo-name> <arch>
+sign_db() {
+ local repo=$1
+ local arch=$2
+ local dbfile="${FTP_BASE}/${repo}/os/${arch}/${repo}${DBEXT}"
+ local filesfile="${FTP_BASE}/${repo}/os/${arch}/${repo}${FILESEXT}"
+
+ if ! $SIGN_DB; the
+ return 0
+ fi
+
+ gpg --homedir=/etc/pacman.d/gnupg/ --default-key ${DB_KEY} --detach-sign ${dbfile}
+ gpg --homedir=/etc/pacman.d/gnupg/ --default-key ${DB_KEY} --detach-sign ${filesfile}
+}
+
# usage: _grep_pkginfo pkgfile pattern
_grep_pkginfo() {
local _ret
@@ -388,7 +403,7 @@ check_signature() {
return 1
fi
- for k in ${MASTER_KEYS}; do
+ for k in ${MASTER_KEYS} ${DB_KEY}; do
if pacman-key -v "${pkgfile}.sig" 2>&1 | grep -q "key ID ${k}"
return 1
fi
diff --git a/db-move b/db-move
index 1fa44d4..e51ce02 100755
--- a/db-move
+++ b/db-move
@@ -120,6 +120,12 @@ for tarch in ${ARCHES[@]}; do
done
for pkgarch in ${ARCHES[@]}; do
+ sign_db ${repo_from} ${pkgarch}
+ sign_db ${repo_to} ${pkgarch}
+done
+
+
+for pkgarch in ${ARCHES[@]}; do
repo_unlock ${repo_from} ${pkgarch}
repo_unlock ${repo_to} ${pkgarch}
done
diff --git a/db-remove b/db-remove
index 25cb9a7..8de0b7f 100755
--- a/db-remove
+++ b/db-remove
@@ -48,5 +48,6 @@ done
for tarch in ${tarches[@]}; do
arch_repo_remove "${repo}" "${tarch}" ${remove_pkgs[@]}
+ sign_db $repo $tarch
repo_unlock $repo $tarch
done
diff --git a/db-repo-add b/db-repo-add
index 5d5b653..aa79b9f 100755
--- a/db-repo-add
+++ b/db-repo-add
@@ -37,5 +37,6 @@ for tarch in ${tarches[@]}; do
fi
done
arch_repo_add "${repo}" "${tarch}" ${pkgfiles[@]}
+ sign_db $repo $tarch
repo_unlock $repo $tarch
done
diff --git a/db-repo-remove b/db-repo-remove
index 2a693f4..2f6ccb7 100755
--- a/db-repo-remove
+++ b/db-repo-remove
@@ -33,5 +33,6 @@ for tarch in ${tarches[@]}; do
msg "Removing $pkgname from [$repo]..."
done
arch_repo_remove "${repo}" "${tarch}" ${pkgnames[@]}
+ sign_db $repo $tarch
repo_unlock $repo $tarch
done
diff --git a/db-update b/db-update
index 087a248..c82017c 100755
--- a/db-update
+++ b/db-update
@@ -91,6 +91,7 @@ done
for repo in ${repos[@]}; do
for pkgarch in ${ARCHES[@]}; do
+ sign_db ${repo} ${pkgarch}
repo_unlock ${repo} ${pkgarch}
done
done
diff --git a/testing2x b/testing2x
index 369857f..8ce5f2b 100755
--- a/testing2x
+++ b/testing2x
@@ -47,10 +47,12 @@ for pkgbase in $*; do
done
for pkgarch in ${ARCHES[@]}; do
+ sign_db ${TESTING_REPO} ${pkgarch}
repo_unlock ${TESTING_REPO} ${pkgarch}
done
for repo in ${STABLE_REPOS[@]}; do
for pkgarch in ${ARCHES[@]}; do
+ sign_db ${repo} ${pkgarch}
repo_unlock ${repo} ${pkgarch}
done
if [ -n "${pkgs[${repo}]}" ]; then
--
1.8.4.2
More information about the arch-projects
mailing list