diff options
| -rw-r--r-- | doc/PKGBUILD.5.txt | 8 | ||||
| -rw-r--r-- | scripts/makepkg.sh.in | 23 |
2 files changed, 26 insertions, 5 deletions
diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt index 50d8347c..17e8af25 100644 --- a/doc/PKGBUILD.5.txt +++ b/doc/PKGBUILD.5.txt @@ -128,6 +128,14 @@ Files in the source array with extensions `.sig`, `.sign` or, `.asc` are recognized by makepkg as PGP signatures and will be automatically used to verify the integrity of the corresponding source file. +*validpgpkeys (array)*:: + An array of PGP fingerprints. If this array is non-empty, makepkg will + only accept signatures from the keys listed here and will ignore the + trust values from the keyring. If the source file was signed with a + subkey, makepkg will still use the primary key for comparison. ++ +Fingerprints must be uppercase and must not contain whitespace characters. + *noextract (array)*:: An array of file names corresponding to those from the source array. Files listed here will not be extracted with the rest of the source files. This diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 21bb289c..96e53499 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1245,9 +1245,9 @@ check_checksums() { } parse_gpg_statusfile() { - local type arg1 arg6 + local type arg1 arg6 arg10 - while read -r _ type arg1 _ _ _ _ arg6 _; do + while read -r _ type arg1 _ _ _ _ arg6 _ _ _ arg10 _; do case "$type" in GOODSIG) pubkey=$arg1 @@ -1283,6 +1283,15 @@ parse_gpg_statusfile() { status="error" fi ;; + VALIDSIG) + if [[ $arg10 ]]; then + # If the file was signed with a subkey, arg10 contains + # the fingerprint of the primary key + fingerprint=$arg10 + else + fingerprint=$arg1 + fi + ;; TRUST_UNDEFINED|TRUST_NEVER) trusted=0 ;; @@ -1299,7 +1308,7 @@ check_pgpsigs() { msg "$(gettext "Verifying source file signatures with %s...")" "gpg" - local file ext decompress found pubkey success status trusted + local file ext decompress found pubkey success status fingerprint trusted local warning=0 local errors=0 local statusfile=$(mktemp) @@ -1346,6 +1355,7 @@ check_pgpsigs() { success=0 status= pubkey= + fingerprint= trusted= parse_gpg_statusfile "$statusfile" if (( ! $success )); then @@ -1366,9 +1376,12 @@ check_pgpsigs() { esac errors=1 else - if (( ! $trusted )); then + if (( ${#validpgpkeys[@]} == 0 && ! $trusted )); then printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$pubkey" >&2 errors=1 + elif (( ${#validpgpkeys[@]} > 0 )) && ! in_array "$fingerprint" "${validpgpkeys[@]}"; then + printf "%s (%s $pubkey)" "$(gettext "FAILED")" "$(gettext "invalid public key")" + errors=1 else printf '%s' "$(gettext "Passed")" >&2 case "$status" in @@ -2881,7 +2894,7 @@ fi unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides unset md5sums replaces depends conflicts backup source install changelog build -unset makedepends optdepends options noextract +unset makedepends optdepends options noextract validpgpkeys BUILDFILE=${BUILDFILE:-$BUILDSCRIPT} if [[ ! -f $BUILDFILE ]]; then |