pacman/scripts/pacman-key.sh.in

#!/bin/bash -e
#
#   pacman-key - manages pacman's keyring
#                Based on apt-key, from Debian
#   @configure_input@
#
#   Copyright (c) 2010-2011 Pacman Development Team <pacman-dev@archlinux.org>
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

# gettext initialization
export TEXTDOMAIN='pacman-scripts'
export TEXTDOMAINDIR='@localedir@'

myver="@PACKAGE_VERSION@"

# Options
ADD=0
DELETE=0
EDITKEY=0
EXPORT=0
FINGER=0
INIT=0
LIST=0
RECEIVE=0
RELOAD=0
UPDATEDB=0
VERIFY=0

m4_include(library/output_format.sh)

m4_include(library/parse_options.sh)

usage() {
	printf "pacman-key (pacman) %s\n" ${myver}
	echo
	printf "$(gettext "Usage: %s [options]")\n" $(basename $0)
	echo
	printf "$(gettext "Manage pacman\'s list of trusted keys")\n"
	echo
	echo "$(gettext "Options:")"
	echo "$(gettext "  -a, --add [<file(s)>]     Add the specified keys (empty for stdin)")"
	echo "$(gettext "  -d, --delete <keyid(s)>   Remove the specified keyids")"
	echo "$(gettext "  -e, --export [<keyid(s)>] Export the specified or all keyids")"
	echo "$(gettext "  -f, --finger [<keyid(s)>] List fingerprint for specified or all keyids")"
	echo "$(gettext "  -h, --help                Show this help message and exit")"
	echo "$(gettext "  -l, --list                List keys")"
	echo "$(gettext "  -r, --receive <keyserver> <keyid(s)> Fetch the specified keyids")"
	echo "$(gettext "  -u, --updatedb            Update the trustdb of pacman")"
	echo "$(gettext "  -v, --verify <signature>  Verify the file specified by the signature")"
	echo "$(gettext "  -V, --version             Show program version")"
	echo "$(gettext "  --config <file>           Use an alternate config file")"
	printf "$(gettext "                                    (instead of '%s')")\n" "@sysconfdir@/pacman.conf"
	echo "$(gettext "  --edit-key <keyid(s)>     Present a menu for key management task on keyids")"
	echo "$(gettext "  --gpgdir <dir>            Set an alternate directory for gnupg")"
	printf "$(gettext "                                    (instead of '%s')")\n" "@sysconfdir@/pacman.d/gnupg"
	echo "$(gettest "  --init                    Ensure the keyring is properly initialized")"
	echo "$(gettext "  --reload                  Reload the default keys")"
}

version() {
	printf "pacman-key (pacman) %s\n" "${myver}"
	printf "$(gettext "\
Copyright (c) 2010-2011 Pacman Development Team <pacman-dev@archlinux.org>.\n\
This is free software; see the source for copying conditions.\n\
There is NO WARRANTY, to the extent permitted by law.\n")"
}

# read the config file "$1" which has key=value pairs, and return the key which
# matches "$2". the equals sign between pairs may be surrounded by any amount
# of whitespace.
get_from() {
	while IFS='=' read -r key value; do
		[[ -z $key || ${key:0:1} = '#' ]] && continue

		if [[ ${key%% *} = "$2" && -n ${value##* } ]]; then
			echo "${value##* }"
			return 0
		fi
	done < "$1"
	return 1
}

initialize() {
	# Check for simple existence rather than for a directory as someone
	# may want to use a symlink here
	[[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 755 "${PACMAN_KEYRING_DIR}"

	# keyring files
	[[ -f ${PACMAN_KEYRING_DIR}/pubring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/pubring.gpg
	[[ -f ${PACMAN_KEYRING_DIR}/secring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/secring.gpg
	[[ -f ${PACMAN_KEYRING_DIR}/trustdb.gpg ]] || ${GPG_PACMAN} --update-trustdb
	chmod 644 ${PACMAN_KEYRING_DIR}/{{pub,sec}ring,trustdb}.gpg

	# gpg.conf
	[[ ! -f ${PACMAN_KEYRING_DIR}/gpg.conf ]] || touch  ${PACMAN_KEYRING_DIR}/gpg.conf
	chmod 644 ${PACMAN_KEYRING_DIR}/gpg.conf
	if ! grep -w -q "lock-never" ${PACMAN_KEYRING_DIR}/gpg.conf &>/dev/null; then
		echo "lock-never" >> ${PACMAN_KEYRING_DIR}/gpg.conf
	fi
}

check_keyring() {
	if [[ ! -r ${PACMAN_KEYRING_DIR}/pubring.gpg || \
			! -r ${PACMAN_KEYRING_DIR}/secring.gpg || \
			! -r ${PACMAN_KEYRING_DIR}/trustdb.gpg ]]; then
		error "$(gettext "You do not have sufficient permissions to read the %s keyring...")" "pacman"
		msg "$(gettext "Use '%s' to correct the keyring permissions.")" "pacman-key --init"
		exit 1
	fi

	if (( (EXPORT || FINGER || LIST || VERIFY) && EUID != 0 )); then
		if ! grep -w -q "lock-never" ${PACMAN_KEYRING_DIR}/gpg.conf &>/dev/null; then
			error "$(gettext "You do not have sufficient permissions to run this command...")"
			msg "$(gettext "Use '%s' to correct the keyring permissions.")" "pacman-key --init"
			exit 1
		fi
	fi

}

verify_keyring_input() {
	local ret=0;

	# Verify signatures of related files, if they exist
	if [[ -r "${ADDED_KEYS}" ]]; then
		msg "$(gettext "Verifying official keys file signature...")"
		if ! ${GPG_PACMAN} --verify "${ADDED_KEYS}.sig" &>/dev/null; then
			error "$(gettext "The signature of file %s is not valid.")" "${ADDED_KEYS}"
			ret=1
		fi
	fi

	if [[ -r "${DEPRECATED_KEYS}" ]]; then
		msg "$(gettext "Verifying deprecated keys file signature...")"
		if ! ${GPG_PACMAN} --verify "${DEPRECATED_KEYS}.sig" &>/dev/null; then
			error "$(gettext "The signature of file %s is not valid.")" "${DEPRECATED_KEYS}"
			ret=1
		fi
	fi

	if [[ -r "${REMOVED_KEYS}" ]]; then
		msg "$(gettext "Verifying deleted keys file signature...")"
		if ! ${GPG_PACMAN} --verify "${REMOVED_KEYS}.sig" &>/dev/null; then
			error "$(gettext "The signature of file %s is not valid.")" "${REMOVED_KEYS}"
			ret=1
		fi
	fi

	return errors
}

reload_keyring() {
	local PACMAN_SHARE_DIR='@prefix@/share/pacman'
	local GPG_NOKEYRING="gpg --batch --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir ${PACMAN_KEYRING_DIR}"

	# Variable used for iterating on keyrings
	local key
	local key_id

	# Keyring with keys to be added to the keyring
	local ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg"

	# Keyring with keys that were deprecated and will eventually be deleted
	local DEPRECATED_KEYS="${PACMAN_SHARE_DIR}/deprecatedkeys.gpg"

	# List of keys removed from the keyring. This file is not a keyring, unlike the others.
	# It is a textual list of values that gpg recogniezes as identifiers for keys.
	local REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys"

	verify_keyring_input || exit 1

	# Read the key ids to an array. The conversion from whatever is inside the file
	# to key ids is important, because key ids are the only guarantee of identification
	# for the keys.
	local -A removed_ids
	if [[ -r "${REMOVED_KEYS}" ]]; then
		while read key; do
			local key_values name
			key_values="$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5,10 --output-delimiter=' ')"
			if [[ -n $key_values ]]; then
				# The first word is the key_id
				key_id="${key_values%% *}"
				# the rest if the name of the owner
				name="${key_values#* }"
				if [[ -n ${key_id} ]]; then
					# Mark this key to be deleted
					removed_ids[$key_id]="$name"
				fi
			fi
		done < "${REMOVED_KEYS}"
	fi

	# List of keys that must be kept installed, even if in the list of keys to be removed
	local HOLD_KEYS="$(get_from "$CONFIG" "HoldKeys")"

	# Remove the keys that must be kept from the set of keys that should be removed
	if [[ -n ${HOLD_KEYS} ]]; then
		for key in ${HOLD_KEYS}; do
			key_id="$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)"
			if [[ -n "${removed_ids[$key_id]}" ]]; then
				unset removed_ids[$key_id]
			fi
		done
	fi

	# Add keys from the current set of keys from pacman-keyring package. The web of trust will
	# be updated automatically.
	if [[ -r "${ADDED_KEYS}" ]]; then
		msg "$(gettext "Appending official keys...")"
		local add_keys="$(${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)"
		for key_id in ${add_keys}; do
			# There is no point in adding a key that will be deleted right after
			if [[ -z "${removed_ids[$key_id]}" ]]; then
				${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
			fi
		done
	fi

	if [[ -r "${DEPRECATED_KEYS}" ]]; then
		msg "$(gettext "Appending deprecated keys...")"
		local add_keys="$(${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)"
		for key_id in ${add_keys}; do
			# There is no point in adding a key that will be deleted right after
			if [[ -z "${removed_ids[$key_id]}" ]]; then
				${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
			fi
		done
	fi

	# Remove the keys not marked to keep
	if (( ${#removed_ids[@]} > 0 )); then
		msg "$(gettext "Removing deleted keys from keyring...")"
		for key_id in "${!removed_ids[@]}"; do
			echo "  removing key $key_id - ${removed_ids[$key_id]}"
			${GPG_PACMAN} --quiet --batch --yes --delete-key "${key_id}"
		done
	fi

	# Update trustdb, just to be sure
	msg "$(gettext "Updating trust database...")"
	${GPG_PACMAN} --batch --check-trustdb
}

receive_keys() {
	if [[ -z ${KEYIDS[@]} ]]; then
		error "$(gettext "You need to specify the keyserver and at least one key identifier")"
		exit 1
	fi
	${GPG_PACMAN} --keyserver "$KEYSERVER" --recv-keys "${KEYIDS[@]}"
}

edit_keys() {
	local errors=0;
	for key in ${KEYIDS[@]}; do
		# Verify if the key exists in pacman's keyring
		if ! ${GPG_PACMAN} --list-keys "$key" &>/dev/null; then
			error "$(gettext "The key identified by %s does not exist")" "$key"
			errors=1;
		fi
	done
	(( errors )) && exit 1;

	for key in ${KEYIDS[@]}; do
		${GPG_PACMAN} --edit-key "$key"
	done
}

# PROGRAM START
if ! type gettext &>/dev/null; then
	gettext() {
		echo "$@"
	}
fi

OPT_SHORT="a::d:e:f::hlr:uv:V"
OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:"
OPT_LONG+=",help,init,list,receive:,reload,updatedb,verify:,version"
if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then
	echo; usage; exit 1 # E_INVALID_OPTION;
fi
eval set -- "$OPT_TEMP"
unset OPT_SHORT OPT_LONG OPT_TEMP

if [[ $1 == "--" ]]; then
	usage;
	exit 0;
fi

while true; do
	case "$1" in
		-a|--add)         ADD=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYFILES=($1) ;;
		--config)         shift; CONFIG=$1 ;;
		-d|--delete)      DELETE=1; shift; KEYIDS=($1) ;;
		--edit-key)       EDITKEY=1; shift; KEYIDS=($1) ;;
		-e|--export)      EXPORT=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
		-f|--finger)      FINGER=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
		--gpgdir)         shift; PACMAN_KEYRING_DIR=$1 ;;
		--init)           INIT=1 ;;
		-l|--list)        LIST=1 ;;
		-r|--receive)     RECEIVE=1; shift; KEYSERVER="${1[0]}"; KEYIDS=("${1[@]:1}") ;;
		--reload)         RELOAD=1 ;;
		-u|--updatedb)    UPDATEDB=1 ;;
		-v|--verify)      VERIFY=1; shift; SIGNATURE=$1 ;;

		-h|--help)        usage; exit 0 ;;
		-V|--version)     version; exit 0 ;;

		--)               OPT_IND=0; shift; break;;
		*)                usage; exit 1 ;;
	esac
	shift
done


if ! type -p gpg >/dev/null; then
    error "$(gettext "Cannot find the %s binary required for all %s operations.")" "gpg" "pacman-key"
	exit 1
fi

if (( (ADD || DELETE || EDITKEY || INIT || RECEIVE || RELOAD || UPDATEDB) && EUID != 0 )); then
	error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key"
	exit 1
fi

CONFIG=${CONFIG:-@sysconfdir@/pacman.conf}
if [[ ! -r "${CONFIG}" ]]; then
	error "$(gettext "%s configuation file '%s' not found.")" "pacman" "$CONFIG"
	exit 1
fi

# if PACMAN_KEYRING_DIR isn't assigned, try to get it from the config
# file, falling back on a hard default
PACMAN_KEYRING_DIR=${PACMAN_KEYRING_DIR:-$(get_from "$CONFIG" "GPGDir" || echo "@sysconfdir@/pacman.d/gnupg")}

GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning"

# check only a single operation has been given
numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + INIT + LIST + RECEIVE + RELOAD + UPDATEBD + VERIFY ))

if (( ! numopt )); then
	error "$(gettext "No operations specified")"
	echo
	usage
	exit 1
fi

if (( numopt != 1 )); then
	error "$(gettext "Multiple operations specified")"
	printf "$(gettext "Please run %s with each operation separately\n")" "pacman-key"
	exit 1
fi

(( ! INIT )) && check_keyring

(( ADD )) && ${GPG_PACMAN} --quiet --batch --import "${KEYFILES[@]}"
(( DELETE )) && ${GPG_PACMAN} --quiet --batch --delete-key --yes "${KEYIDS[@]}"
(( EDITKEY )) && edit_keys
(( EXPORT )) && ${GPG_PACMAN} --armor --export "${KEYIDS[@]}"
(( FINGER )) && ${GPG_PACMAN} --batch --fingerprint "${KEYIDS[@]}"
(( INIT )) && initialize
(( LIST )) && ${GPG_PACMAN} --batch --list-sigs "${KEYIDS[@]}"
(( RECEIVE )) && receive_keys
(( RELOAD )) && reload_keyring
(( UPDATEDB )) && ${GPG_PACMAN} --batch --check-trustdb
(( VERIFY )) && ${GPG_PACMAN} --verify $SIGNATURE

# vim: set ts=2 sw=2 noet: