2016-05-08 17:28:28 +01:00
|
|
|
#!/bin/bash
|
|
|
|
|
#
|
|
|
|
|
# generate_signature.sh - functions for generating PGP signatures
|
|
|
|
|
#
|
2020-02-10 10:46:03 +10:00
|
|
|
# Copyright (c) 2008-2020 Pacman Development Team <pacman-dev@archlinux.org>
|
2016-05-08 17:28:28 +01:00
|
|
|
#
|
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
|
# it under the terms of the GNU General Public License as published by
|
|
|
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
# (at your option) any later version.
|
|
|
|
|
#
|
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
|
#
|
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
[[ -n "$LIBMAKEPKG_INTEGRITY_GENERATE_SIGNATURE_SH" ]] && return
|
|
|
|
|
LIBMAKEPKG_INTEGRITY_GENERATE_SIGNATURE_SH=1
|
|
|
|
|
|
|
|
|
|
LIBRARY=${LIBRARY:-'@libmakepkgdir@'}
|
|
|
|
|
|
|
|
|
|
source "$LIBRARY/util/message.sh"
|
|
|
|
|
|
|
|
|
|
create_signature() {
|
|
|
|
|
local ret=0
|
|
|
|
|
local filename="$1"
|
|
|
|
|
|
|
|
|
|
local SIGNWITHKEY=""
|
|
|
|
|
if [[ -n $GPGKEY ]]; then
|
|
|
|
|
SIGNWITHKEY="-u ${GPGKEY}"
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
gpg --detach-sign --use-agent ${SIGNWITHKEY} --no-armor "$filename" &>/dev/null || ret=$?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if (( ! ret )); then
|
2017-04-17 18:30:05 +10:00
|
|
|
msg2 "$(gettext "Created signature file %s.")" "${filename##*/}.sig"
|
2016-05-08 17:28:28 +01:00
|
|
|
else
|
2018-06-12 10:00:29 -04:00
|
|
|
warning "$(gettext "Failed to sign package file %s.")" "${filename##*/}"
|
2016-05-08 17:28:28 +01:00
|
|
|
fi
|
2017-04-17 18:30:05 +10:00
|
|
|
|
|
|
|
|
return $ret
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
create_package_signatures() {
|
2019-04-16 13:36:12 -04:00
|
|
|
local ret=0
|
|
|
|
|
|
2017-11-12 12:26:56 -05:00
|
|
|
if [[ $SIGNPKG != 'y' ]]; then
|
|
|
|
|
return 0
|
|
|
|
|
fi
|
libmakepkg/integrity: fix regression that broke --install
In commit c6b04c04653ba9933fe978829148312e412a9ea7 package signing was
moved out of fakeroot, and as part of this process, the global pkgname
variable was modified in order to extract the built package names.
However, if a debug package was not available and added to the list of
packages, the function was aborted early, before the pkgname array was
restored, thereby corrupting the later stages of makepkg and
specifically the install_package function which needs to know which
pkgnames to install.
Fix this by inlining the debug package signing inside the `if` check,
and as added security switch to using `for pkg in "${pkgname[@]}"` as is
done in many other parts of makepkg, since package signing does not
depend on the value of pkgname for anything.
Additionally, since debug packages may not actually exist, check if the
package file exists first.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-03-14 20:42:11 -04:00
|
|
|
local pkg pkgarch pkg_file
|
2017-04-17 18:30:05 +10:00
|
|
|
local fullver=$(get_full_version)
|
|
|
|
|
|
|
|
|
|
msg "$(gettext "Signing package(s)...")"
|
|
|
|
|
|
libmakepkg/integrity: fix regression that broke --install
In commit c6b04c04653ba9933fe978829148312e412a9ea7 package signing was
moved out of fakeroot, and as part of this process, the global pkgname
variable was modified in order to extract the built package names.
However, if a debug package was not available and added to the list of
packages, the function was aborted early, before the pkgname array was
restored, thereby corrupting the later stages of makepkg and
specifically the install_package function which needs to know which
pkgnames to install.
Fix this by inlining the debug package signing inside the `if` check,
and as added security switch to using `for pkg in "${pkgname[@]}"` as is
done in many other parts of makepkg, since package signing does not
depend on the value of pkgname for anything.
Additionally, since debug packages may not actually exist, check if the
package file exists first.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-03-14 20:42:11 -04:00
|
|
|
for pkg in "${pkgname[@]}"; do
|
|
|
|
|
pkgarch=$(get_pkg_arch $pkg)
|
|
|
|
|
pkg_file="$PKGDEST/${pkg}-${fullver}-${pkgarch}${PKGEXT}"
|
2017-04-17 18:30:05 +10:00
|
|
|
|
2019-04-16 13:36:12 -04:00
|
|
|
create_signature "$pkg_file" || ret=$?
|
2017-04-17 18:30:05 +10:00
|
|
|
done
|
|
|
|
|
|
|
|
|
|
# check if debug package needs a signature
|
2018-06-18 16:50:58 +10:00
|
|
|
if check_option "debug" "y" && check_option "strip" "y"; then
|
libmakepkg/integrity: fix regression that broke --install
In commit c6b04c04653ba9933fe978829148312e412a9ea7 package signing was
moved out of fakeroot, and as part of this process, the global pkgname
variable was modified in order to extract the built package names.
However, if a debug package was not available and added to the list of
packages, the function was aborted early, before the pkgname array was
restored, thereby corrupting the later stages of makepkg and
specifically the install_package function which needs to know which
pkgnames to install.
Fix this by inlining the debug package signing inside the `if` check,
and as added security switch to using `for pkg in "${pkgname[@]}"` as is
done in many other parts of makepkg, since package signing does not
depend on the value of pkgname for anything.
Additionally, since debug packages may not actually exist, check if the
package file exists first.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-03-14 20:42:11 -04:00
|
|
|
pkg=$pkgbase-@DEBUGSUFFIX@
|
|
|
|
|
pkgarch=$(get_pkg_arch)
|
|
|
|
|
pkg_file="$PKGDEST/${pkg}-${fullver}-${pkgarch}${PKGEXT}"
|
|
|
|
|
if [[ -f $pkg_file ]]; then
|
2019-04-16 13:36:12 -04:00
|
|
|
create_signature "$pkg_file" || ret=$?
|
libmakepkg/integrity: fix regression that broke --install
In commit c6b04c04653ba9933fe978829148312e412a9ea7 package signing was
moved out of fakeroot, and as part of this process, the global pkgname
variable was modified in order to extract the built package names.
However, if a debug package was not available and added to the list of
packages, the function was aborted early, before the pkgname array was
restored, thereby corrupting the later stages of makepkg and
specifically the install_package function which needs to know which
pkgnames to install.
Fix this by inlining the debug package signing inside the `if` check,
and as added security switch to using `for pkg in "${pkgname[@]}"` as is
done in many other parts of makepkg, since package signing does not
depend on the value of pkgname for anything.
Additionally, since debug packages may not actually exist, check if the
package file exists first.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
2018-03-14 20:42:11 -04:00
|
|
|
fi
|
2017-04-17 18:30:05 +10:00
|
|
|
fi
|
2019-04-16 13:36:12 -04:00
|
|
|
|
|
|
|
|
return $ret
|
2016-05-08 17:28:28 +01:00
|
|
|
}
|