pacman/scripts/pacman-key.sh.in

#!/bin/bash -e
#
#   pacman-key - manages pacman's keyring
#                Based on apt-key, from Debian
#   @configure_input@
#
#   Copyright (c) 2010-2011 Pacman Development Team <pacman-dev@archlinux.org>
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
#

# gettext initialization
export TEXTDOMAIN='pacman-scripts'
export TEXTDOMAINDIR='@localedir@'

myver="@PACKAGE_VERSION@"

# Options
ADD=0
DELETE=0
EXPORT=0
FINGER=0
LIST=0
RECEIVE=0
RELOAD=0
TRUST=0
UPDATEDB=0

m4_include(library/output_format.sh)

m4_include(library/parse_options.sh)

usage() {
	printf "pacman-key (pacman) %s\n" ${myver}
	echo
	printf "$(gettext "Usage: %s [options]")\n" $(basename $0)
	echo
	printf "$(gettext "Manage pacman\'s list of trusted keys")\n"
	echo
	echo "$(gettext "Options:")"
	echo "$(gettext "  -a, --add [<file(s)>]     Add the specified keys (empty for stdin)")"
	echo "$(gettext "  -d, --delete <keyid(s)>   Remove the specified keyids")"
	echo "$(gettext "  -e, --export <keyid(s)>   Export the specified keyids")"
	echo "$(gettext "  -f, --finger [<keyid(s)>] List fingerprint for specified or all keyids")"
	echo "$(gettext "  -h, --help                Show this help message and exit")"
	echo "$(gettext "  -l, --list                List keys")"
	echo "$(gettext "  -r, --receive <keyserver> <keyid(s)> Fetch the specified keyids")"
	echo "$(gettext "  -t, --trust <keyid(s)>    Set the trust level of the given keyids")"
	echo "$(gettext "  -u, --updatedb            Update the trustdb of pacman")"
	echo "$(gettext "  -V, --version             Show program version")"
	echo "$(gettext "  --config <file>           Use an alternate config file")"
	printf "$(gettext "                                    (instead of '%s')")\n" "@sysconfdir@/pacman.conf"
	echo "$(gettext "  --gpgdir <dir>            Set an alternate directory for gnupg")"
	printf "$(gettext "                                    (instead of '%s')")\n" "@sysconfdir@/pacman.d/gnupg"
	echo "$(gettext "  --reload                  Reload the default keys")"
}

version() {
	printf "pacman-key (pacman) %s\n" "${myver}"
	printf "$(gettext "\
Copyright (c) 2010-2011 Pacman Development Team <pacman-dev@archlinux.org>.\n\
This is free software; see the source for copying conditions.\n\
There is NO WARRANTY, to the extent permitted by law.\n")"
}

# Read provided file and search for values matching the given key
# The contents of the file are expected to be in this format: key = value
# 'key', 'equal sign' and 'value' can be surrounded by random whitespace
# Usage: get_from "$file" "$key" # returns the value for the first matching key in the file
get_from() {
	while read key _ value; do
		if [[ $key = $2 ]]; then
			echo "$value"
			break
		fi
	done < "$1"
}

reload_keyring() {
	local PACMAN_SHARE_DIR='@prefix@/share/pacman'
	local GPG_NOKEYRING="gpg --batch --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir ${PACMAN_KEYRING_DIR}"

	# Variable used for iterating on keyrings
	local key
	local key_id

	# Keyring with keys to be added to the keyring
	local ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg"

	# Keyring with keys that were deprecated and will eventually be deleted
	local DEPRECATED_KEYS="${PACMAN_SHARE_DIR}/deprecatedkeys.gpg"

	# List of keys removed from the keyring. This file is not a keyring, unlike the others.
	# It is a textual list of values that gpg recogniezes as identifiers for keys.
	local REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys"

	# Verify signatures of related files, if they exist
	if [[ -r "${ADDED_KEYS}" ]]; then
		msg "$(gettext "Verifying official keys file signature...")"
		if ! ${GPG_PACMAN} --quiet --batch --verify "${ADDED_KEYS}.sig" 1>/dev/null; then
			error "$(gettext "The signature of file %s is not valid.")" "${ADDED_KEYS}"
			exit 1
		fi
	fi

	if [[ -r "${DEPRECATED_KEYS}" ]]; then
		msg "$(gettext "Verifying deprecated keys file signature...")"
		if ! ${GPG_PACMAN} --quiet --batch --verify "${DEPRECATED_KEYS}.sig" 1>/dev/null; then
			error "$(gettext "The signature of file %s is not valid.")" "${DEPRECATED_KEYS}"
			exit 1
		fi
	fi

	if [[ -r "${REMOVED_KEYS}" ]]; then
		msg "$(gettext "Verifying deleted keys file signature...")"
		if ! ${GPG_PACMAN} --quiet --batch --verify "${REMOVED_KEYS}.sig"; then
			error "$(gettext "The signature of file %s is not valid.")" "${REMOVED_KEYS}"
			exit 1
		fi
	fi

	# Read the key ids to an array. The conversion from whatever is inside the file
	# to key ids is important, because key ids are the only guarantee of identification
	# for the keys.
	local -A removed_ids
	if [[ -r "${REMOVED_KEYS}" ]]; then
		while read key; do
			local key_values name
			key_values=$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5,10 --output-delimiter=' ')
			if [[ -n $key_values ]]; then
				# The first word is the key_id
				key_id=${key_values%% *}
				# the rest if the name of the owner
				name=${key_values#* }
				if [[ -n ${key_id} ]]; then
					# Mark this key to be deleted
					removed_ids[$key_id]="$name"
				fi
			fi
		done < "${REMOVED_KEYS}"
	fi

	# List of keys that must be kept installed, even if in the list of keys to be removed
	local HOLD_KEYS=$(get_from "$CONFIG" "HoldKeys")

	# Remove the keys that must be kept from the set of keys that should be removed
	if [[ -n ${HOLD_KEYS} ]]; then
		for key in ${HOLD_KEYS}; do
			key_id=$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)
			if [[ -n "${removed_ids[$key_id]}" ]]; then
				unset removed_ids[$key_id]
			fi
		done
	fi

	# Add keys from the current set of keys from pacman-keyring package. The web of trust will
	# be updated automatically.
	if [[ -r "${ADDED_KEYS}" ]]; then
		msg "$(gettext "Appending official keys...")"
		local add_keys=$(${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
		for key_id in ${add_keys}; do
			# There is no point in adding a key that will be deleted right after
			if [[ -z "${removed_ids[$key_id]}" ]]; then
				${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
			fi
		done
	fi

	if [[ -r "${DEPRECATED_KEYS}" ]]; then
		msg "$(gettext "Appending deprecated keys...")"
		local add_keys=$(${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
		for key_id in ${add_keys}; do
			# There is no point in adding a key that will be deleted right after
			if [[ -z "${removed_ids[$key_id]}" ]]; then
				${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
			fi
		done
	fi

	# Remove the keys not marked to keep
	if (( ${#removed_ids[@]} > 0 )); then
		msg "$(gettext "Removing deleted keys from keyring...")"
		for key_id in "${!removed_ids[@]}"; do
			echo "  removing key $key_id - ${removed_ids[$key_id]}"
			${GPG_PACMAN} --quiet --batch --yes --delete-key "${key_id}"
		done
	fi

	# Update trustdb, just to be sure
	msg "$(gettext "Updating trust database...")"
	${GPG_PACMAN} --batch --check-trustdb
}

# PROGRAM START
if ! type gettext &>/dev/null; then
	gettext() {
		echo "$@"
	}
fi

OPT_SHORT="a::d:e:f::hlr:t:uV"
OPT_LONG="add::,config:,delete:,export:,finger::,gpgdir:,help,list"
OPT_LONG+=",receive:,reload,trust:,updatedb,version"
if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then
	echo; usage; exit 1 # E_INVALID_OPTION;
fi
eval set -- "$OPT_TEMP"
unset OPT_SHORT OPT_LONG OPT_TEMP

if [[ $1 == "--" ]]; then
	usage;
	exit 0;
fi

while true; do
	case "$1" in
		-a|--add)         ADD=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYFILES=($1) ;;
		--config)         shift; CONFIG=$1 ;;
		-d|--delete)      DELETE=1; shift; KEYIDS=($1) ;;
		-e|--export)      EXPORT=1; shift; KEYIDS=($1) ;;
		-f|--finger)      FINGER=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
		--gpgdir)         shift; PACMAN_KEYRING_DIR=$1 ;;
		-l|--list)        LIST=1 ;;
		-r|--receive)     RECEIVE=1; shift; KEYSERVER="${1[0]}"; KEYIDS=("${1[@]:1}") ;;
		--reload)         RELOAD=1 ;;
		-t|--trust)       TRUST=1; shift; KEYIDS=($1) ;;
		-u|--updatedb)    UPDATEDB=1 ;;

		-h|--help)        usage; exit 0 ;;
		-V|--version)     version; exit 0 ;;

		--)               OPT_IND=0; shift; break;;
		*)                usage; exit 1 ;;
	esac
	shift
done


if ! type -p gpg >/dev/null; then
    error "$(gettext "Cannot find the %s binary required for all %s operations.")" "gpg" "pacman-key"
	exit 1
fi

if (( (ADD || DELETE || RECEIVE || RELOAD || TRUST || UPDATEDB) && EUID != 0 )); then
	error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key"
	exit 1
fi

CONFIG=${CONFIG:-@sysconfdir@/pacman.conf}
if [[ ! -r "${CONFIG}" ]]; then
	error "$(gettext "%s configuation file '%s' not found.")" "pacman" "$CONFIG"
	exit 1
fi

# Get GPGDIR from pacman.conf iff not specified on command line
if [[ -z PACMAN_KEYRING_DIR && GPGDIR=$(get_from "$CONFIG" "GPGDir") == 0 ]]; then
	PACMAN_KEYRING_DIR="${GPGDIR}"
fi
PACMAN_KEYRING_DIR=${PACMAN_KEYRING_DIR:-@sysconfdir@/pacman.d/gnupg}

# Try to create $PACMAN_KEYRING_DIR if non-existent
# Check for simple existence rather than for a directory as someone may want
# to use a symlink here
[[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 755 "${PACMAN_KEYRING_DIR}"

GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning"


(( ADD )) && ${GPG_PACMAN} --quiet --batch --import "${KEYFILES[@]}"
(( DELETE )) && ${GPG_PACMAN} --quiet --batch --delete-key --yes "${KEYIDS[@]}"
(( EXPORT )) && ${GPG_PACMAN} --armor --export "${KEYIDS[@]}"
(( FINGER )) && ${GPG_PACMAN} --batch --fingerprint "${KEYIDS[@]}"
(( LIST )) && ${GPG_PACMAN} --batch --list-sigs "${KEYIDS[@]}"
(( RELOAD )) && reload_keyring
(( UPDATEDB )) && ${GPG_PACMAN} --batch --check-trustdb

if (( RECEIVE )); then
	if [[ -z ${KEYIDS[@]} ]]; then
		error "$(gettext "You need to specify the keyserver and at least one key identifier")"
		exit 1
	fi
	${GPG_PACMAN} --keyserver "$KEYSERVER" --recv-keys "${KEYIDS[@]}"
fi

if (( TRUST )); then
		for key in ${KEYIDS[@]}; do
			# Verify if the key exists in pacman's keyring
			if ${GPG_PACMAN} --list-keys "$key" > /dev/null 2>&1; then
				${GPG_PACMAN} --edit-key "$key"
			else
				error "$(gettext "The key identified by %s does not exist")" "$key"
				exit 1
			fi
			shift
		done
fi

# vim: set ts=2 sw=2 noet: