After most operations that touch the keyring, it is a good idea to
always run a check on the trustdb as this prevents gpg complaining
on later operations.
Inspiration-from: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
The optimization of only importing keys that were not to be later
revoked was a not smart enough. For example, if a key was
in both a repos keyring and its revoke list, alternate runs of
pacman-key --populate would add then remove the key from the pacman
keyring. This problem is made worse when considering the possibility
of multiple keyrings being imported.
Instead, import all keys followed by the revoking of all keys. This
may result in a key being added then revoked, but that is not much of
an issue given that is a very fast operation.
Signed-off-by: Allan McRae <allan@archlinux.org>
The current --reload option, apart from being non-clear in its naming,
is very limited in that only one keyring can be provided. A distribution
may want to provide multiple keyrings for various subsets of its
organisation or custom repo providers may also want to provide a keyring.
This patch adds a --populate option that reads keyrings from (by default)
/usr/share/pacman/keyrings. A keyring is named foo.gpg, with optional
foo-revoked file providing a list of revoked key ids. These files are
required to be signed (detached) by a key trusted by pacman-key, in
practice probably by the key that signed the package providing these
files. The --populate flag either updates the pacman keyring using all
keyrings in the directory or individual keyrings can be specified.
Signed-off-by: Allan McRae <allan@archlinux.org>
This is a safety measure to prevent simple code injection.
$ i="foo bar"
$ eval i="$i"
bash: bar: command not found
$ eval i=\"$i\"
$ echo "|$i|"
|foo bar|
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
If any of pkgver, pkgrel or epoch contained a variable substitution,
then it needed to be evaluated before checking its value conformed
to the rules.
[Dan: add quotes around RHS]
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
makepkg --source is a often used go make source package like for AUR.
Have a -S shortcut will save the world.
Signed-off-by: Sebastien Luttringer <seblu@seblu.net>
Signed-off-by: Dan McGee <dan@archlinux.org>
When creating a repo outside the current directory, the signature
symlink was not created.
Reported-by: Gaetan Bisson <bisson@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
The use of warning once we had already started adding a package was
confusing as it broke the standard indent pattern. It was especially bad
if adding multiple packages as it wasn't clear what sub-messages applied
to which package being added. This should be an output change only from:
==> Adding package '/tmp/sync/netcfg-2.6.7-1-any.pkg.tar.xz'
-> Computing checksums...
-> Adding package signature...
==> WARNING: An entry for 'netcfg-2.6.7-1' already existed
-> Removing existing entry 'netcfg-2.6.7-1'...
-> Creating 'desc' db entry...
-> Creating 'depends' db entry...
to:
==> Adding package '/tmp/sync/netcfg-2.6.7-1-any.pkg.tar.xz'
==> WARNING: An entry for 'netcfg-2.6.7-1' already existed
-> Computing checksums...
-> Adding package signature...
-> Removing existing entry 'netcfg-2.6.7-1'...
-> Creating 'desc' db entry...
-> Creating 'depends' db entry...
Signed-off-by: Dan McGee <dan@archlinux.org>
These are equivalent. Use the autoconf macro for consistency.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
This applies to the repo-remove man page as well as the script itself.
Yes Dan, I ran distcheck afterwards.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
When adding a package to a repo, it is useful to be able to see
that repo-add has indeed found the signature file.
[Dan: update text to be more in line with other messages]
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
This also pulls in some early translations we had entered in Transifex
in the last day so those would not be lost. The diffstat is huge and not
very telling as usual, as all sorts of fuzzyness switches happened this
time around for some reason.
Signed-off-by: Dan McGee <dan@archlinux.org>
This moves us toward staring translations for the 4.0.0 release,
although this should not be interpreted as a string freeze by any means.
Signed-off-by: Dan McGee <dan@archlinux.org>
In this case, we skip the epoch versioning entirely, as if it were
declared as 0.
Prevents errors such as:
/usr/bin/makepkg: line 244: ((: ! : syntax error: operand expected
(error token is " ")
==> Finished making: cower-git :20110808-1 (Mon Aug 8 17:17:27 EDT
2011)
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
The current --list option outputed the keys and all their signatures
which can be overly verbose. It also did not take a list of keys on
the command line to limit its output (although the code suggests that
was intended).
That patch brings consistency with gpg, providing --list-keys and
--list-sigs options that function equivalently to those provided by
gpg.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Currently, pacman-key allows the user to import their keys using the --add
option. However, no similar functionality exists for importing ownertrust
values.
The --import-trustdb option takes a list of directories and imports ownertrust
values if the directories have a trustdb.gpg database.
The --import option takes a list of directories and imports keys from
pubring.gpg and ownertrust values from trustdb.gpg. Think of it as a combination
of --add and --import-trustdb
Signed-off-by: Pang Yan Han <pangyanhan@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Allows the commands to safely handle any possible arguments
Signed-off-by: DJ Mills <danielmills1@gmail.com>
Allan: rebase patch
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Move the source integrity checking into its own function as the code
was duplicated and is now more complicated with the separation of the
two checks types.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Allows the skipping of all integrity checks (checksum and PGP) or
either the checksum or PGP checks individually.
Original-patch-by: Wieland Hoffman <theminew@googlemail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Many projects provide signature files along with the source code
archives. It's good to check these, too, when verifying the integrity
of source code archives.
Not everybody is using gpg so the verification can be disabled with
--skippgpcheck.
Additionally, only a warning is displayed when the key that signed the
source file is unknown.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
When epoch, pkgver and/or pkgrel were overridden in a split package
function, makepkg failed hard finding the real version for checking
if packages were already built or trying to install packages. Fix
the get_full_version function to deal with overrides and return the
actual package version.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
We can override pkgver and pkgrel so it is only logical to add epoch
to that list
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Check any overrides of the "arch" variable contain the required
architecture.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Enforce syntax checking for pkgrel and pkgver overrides in package
functions.
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
There is always someone who tries to break things (cough *Dave* cough...)
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
This is a cleaner expression of the same information.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
Makes sure that the pacman keyring is readable and that the user
has permissions to create a lock file if lock-never is not specified
in the gpg.conf file.
Signed-off-by: Allan McRae <allan@archlinux.org>
Add an --init option that ensures that the pacman keyring has all
the necessary files and they have the correct permissions for being
read as a user.
Signed-off-by: Allan McRae <allan@archlinux.org>
This function had a variety of pitfalls, including the inability to
successfully find a key=value pair where no whitespace surrounded the
equals sign. Make it more robust by splitting the line on the equals
itself, and performing whitespace trimming on the resulting key/value
pair.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Follow the example of gpg and only allow a single operation to be
specified each time. Prevents having to deal with conflicting
variable names and potential issues due to the order in which the
operations are run.
Signed-off-by: Allan McRae <allan@archlinux.org>