summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan McGee <dan@archlinux.org>2011-03-23 02:17:58 -0500
committerDan McGee <dan@archlinux.org>2011-03-23 02:17:58 -0500
commit36747e4a7f2bf26391573c113950f063daed19b9 (patch)
treecca6d9c0a5515324a0b78d707a26fbe769140a4b
parent3df49acb30cb5a06e15faffcc18cc52b74905e7f (diff)
parentb625d03dd689faa598b1427677f9308f516d6946 (diff)
downloadpacman-36747e4a7f2bf26391573c113950f063daed19b9.tar.xz
Merge branch 'gpg-pacman-key'
-rw-r--r--doc/.gitignore1
-rw-r--r--doc/Makefile.am4
-rw-r--r--doc/index.txt1
-rw-r--r--doc/pacman-key.8.txt85
-rw-r--r--scripts/.gitignore1
-rw-r--r--scripts/Makefile.am3
-rw-r--r--scripts/pacman-key.sh.in320
7 files changed, 415 insertions, 0 deletions
diff --git a/doc/.gitignore b/doc/.gitignore
index a6f4df7f..4c4e158d 100644
--- a/doc/.gitignore
+++ b/doc/.gitignore
@@ -3,6 +3,7 @@ libalpm.3
makepkg.8
makepkg.conf.5
pacman.8
+pacman-key.8
pacman.conf.5
repo-add.8
repo-remove.8
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 00a0e88d..ed9bb000 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -8,6 +8,7 @@ ASCIIDOC_MANS = \
makepkg.8 \
repo-add.8 \
vercmp.8 \
+ pacman-key.8 \
PKGBUILD.5 \
makepkg.conf.5 \
pacman.conf.5 \
@@ -20,6 +21,7 @@ HTML_MANPAGES = \
makepkg.8.html \
repo-add.8.html \
vercmp.8.html \
+ pacman-key.8.html \
PKGBUILD.5.html \
makepkg.conf.5.html \
pacman.conf.5.html \
@@ -41,6 +43,7 @@ EXTRA_DIST = \
makepkg.8.txt \
repo-add.8.txt \
vercmp.8.txt \
+ pacman-key.8.txt \
PKGBUILD.5.txt \
PKGBUILD-example.txt \
makepkg.conf.5.txt \
@@ -133,6 +136,7 @@ pacman.8 pacman.8.html: pacman.8.txt
makepkg.8 makepkg.8.html: makepkg.8.txt
repo-add.8 repo-add.8.html: repo-add.8.txt
vercmp.8 vercmp.8.html: vercmp.8.txt
+pacman-key.8 pacman-key.8.html: pacman-key.8.txt
PKGBUILD.5 PKGBUILD.5.html: PKGBUILD.5.txt PKGBUILD-example.txt
makepkg.conf.5 makepkg.conf.5.html: makepkg.conf.5.txt
pacman.conf.5 pacman.conf.5.html: pacman.conf.5.txt
diff --git a/doc/index.txt b/doc/index.txt
index 0d855bdf..3703421c 100644
--- a/doc/index.txt
+++ b/doc/index.txt
@@ -41,6 +41,7 @@ configuration files dealing with pacman.
* linkman:makepkg[8]
* linkman:makepkg.conf[5]
* linkman:pacman[8]
+* linkman:pacman-key[8]
* linkman:pacman.conf[5]
* linkman:repo-add[8]
* linkman:vercmp[8]
diff --git a/doc/pacman-key.8.txt b/doc/pacman-key.8.txt
new file mode 100644
index 00000000..9bd135ce
--- /dev/null
+++ b/doc/pacman-key.8.txt
@@ -0,0 +1,85 @@
+/////
+vim:set ts=4 sw=4 syntax=asciidoc noet:
+/////
+pacman-key(8)
+=============
+
+
+Name
+----
+pacman-key - manage pacman's list of trusted keys
+
+
+Synopsis
+--------
+'pacman-key' [options] <command> [arguments]
+
+
+Description
+-----------
+pacman-key is a script used to manage pacman's keyring, which is the collection
+of GnuPG keys used to check signed packages. It provides the ability to import
+and export keys, fetch keys from keyservers and update the key trust database.
+
+
+Options
+-------
+*\--config* <file>::
+ Use an alternate config file instead of the `{sysconfdir}/pacman.conf`
+ default.
+
+*\--gpgdir* <dir>::
+ Set an alternate home directory for GnuPG. If unspecified, the value is
+ read from `{sysconfdir}/pacman.conf`.
+
+
+Commands
+-------
+*-a, \--add* file ...::
+ Add the key(s) contained in the specified file or files to pacman's
+ keyring. If a key already exists, update it.
+
+*\--adv* param ...::
+ Use this option to issue particular GnuPG actions to pacman's keyring. This
+ option should be used with care as it can modify pacman's trust in
+ packages' signatures.
+
+*-d, \--del* keyid ...::
+ Remove the key(s) identified by the specified keyid or keyids from pacman's
+ keyring.
+
+*-e, \--export* [keyid ...]::
+ Export key(s) identified by the specified keyid to 'stdout'. If no keyid is
+ specified, all keys will be exported.
+
+*-f, \--finger* [keyid ...]::
+ List a fingerprint for each specified keyid, or for all known keys if no
+ keyids are specified.
+
+*-h, \--help*::
+ Output syntax and command line options.
+
+*-l, \--list*::
+ Equivalent to --list-sigs from GnuPG.
+
+*-r, \--receive* keyserver keyid ...::
+ Fetch the specified keyids from the specified key server URL.
+
+*\--reload*::
+ Reloads the keys from the keyring package.
+
+*-t, \--trust* keyid::
+ Set the trust level of the given key.
+
+*-u, \--updatedb*::
+ Equivalent to \--check-trustdb in GnuPG.
+
+*-v, \--version*::
+ Displays the program version.
+
+
+See Also
+--------
+linkman:pacman[8], linkman:pacman.conf[5]
+
+include::footer.txt[]
diff --git a/scripts/.gitignore b/scripts/.gitignore
index fe4616f2..927b14c8 100644
--- a/scripts/.gitignore
+++ b/scripts/.gitignore
@@ -5,3 +5,4 @@ rankmirrors
repo-add
repo-remove
pkgdelta
+pacman-key
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index ae6ce366..7c64e81c 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -8,6 +8,7 @@ bin_SCRIPTS = \
OURSCRIPTS = \
makepkg \
pacman-db-upgrade \
+ pacman-key \
pacman-optimize \
pkgdelta \
rankmirrors \
@@ -16,6 +17,7 @@ OURSCRIPTS = \
EXTRA_DIST = \
makepkg.sh.in \
pacman-db-upgrade.sh.in \
+ pacman-key.sh.in \
pacman-optimize.sh.in \
pkgdelta.sh.in \
rankmirrors.sh.in \
@@ -64,6 +66,7 @@ $(OURSCRIPTS): Makefile
makepkg: $(srcdir)/makepkg.sh.in
pacman-db-upgrade: $(srcdir)/pacman-db-upgrade.sh.in
+pacman-key: ${srcdir}/pacman-key.sh.in
pacman-optimize: $(srcdir)/pacman-optimize.sh.in
pkgdelta: $(srcdir)/pkgdelta.sh.in
rankmirrors: $(srcdir)/rankmirrors.sh.in
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
new file mode 100644
index 00000000..5746e64f
--- /dev/null
+++ b/scripts/pacman-key.sh.in
@@ -0,0 +1,320 @@
+#!@BASH_SHELL@ -e
+#
+# pacman-key - manages pacman's keyring
+# Based on apt-key, from Debian
+# @configure_input@
+#
+# Copyright (c) 2010 - Pacman Development Team <pacman-dev@archlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# gettext initialization
+export TEXTDOMAIN='pacman'
+export TEXTDOMAINDIR='@localedir@'
+
+myver="@PACKAGE_VERSION@"
+
+msg() {
+ local mesg=$1; shift
+ printf "==> ${mesg}\n" "$@" >&1
+}
+
+msg2() {
+ (( QUIET )) && return
+ local mesg=$1; shift
+ printf " -> ${mesg}\n" "$@" >&1
+}
+
+warning() {
+ local mesg=$1; shift
+ printf "==> $(gettext "WARNING:") ${mesg}\n" "$@" >&2
+}
+
+error() {
+ local mesg=$1; shift
+ printf "==> $(gettext "ERROR:") ${mesg}\n" "$@" >&2
+}
+
+usage() {
+ printf "pacman-key (pacman) %s\n" ${myver}
+ echo
+ printf "$(gettext "Usage: %s [options] <command> [arguments]")\n" $(basename $0)
+ echo
+ echo "$(gettext "Manage pacman's list of trusted keys")"
+ echo
+ echo "$(gettext "Options must be placed before commands. The available options are:")"
+ printf "$(gettext " --config <file> Use an alternate config file (instead of '%s')")\n" "$CONFIG"
+ echo "$(gettext " --gpgdir Set an alternate directory for gnupg")"
+ echo
+ echo "$(gettext "The available commands are:")"
+ echo "$(gettext " -a, --add [<file(s)>] Add the specified keys (empty for stdin)")"
+ echo "$(gettext " -d, --del <keyid(s)> Remove the specified keyids")"
+ echo "$(gettext " -e, --export <keyid(s)> Export the specified keyids")"
+ echo "$(gettext " -f, --finger [<keyid(s)>] List fingerprint for specified or all keyids")"
+ echo "$(gettext " -h, --help This help")"
+ echo "$(gettext " -l, --list List keys")"
+ echo "$(gettext " -r, --receive <keyserver> <keyid(s)> Fetch the specified keyids")"
+ echo "$(gettext " -t, --trust <keyid(s)> Set the trust level of the given keyids")"
+ echo "$(gettext " -u, --updatedb Update the trustdb of pacman")"
+ echo "$(gettext " -V, --version Show program version")"
+ echo "$(gettext " --adv <params> Use pacman's keyring with advanced gpg commands")"
+ printf "$(gettext " --reload Reload the default keys")"
+ echo
+}
+
+version() {
+ printf "pacman-key (pacman) %s\n" "${myver}"
+ printf "$(gettext "\
+Copyright (c) 2010-2011 Pacman Development Team <pacman-dev@archlinux.org>.\n\
+This is free software; see the source for copying conditions.\n\
+There is NO WARRANTY, to the extent permitted by law.\n")"
+}
+
+find_config() {
+ # Prints on stdin the values of all the options from the configuration file that
+ # are associated with the first parameter of this function.
+ # The option names are stripped
+ grep -e "^[[:blank:]]*$1[[:blank:]]*=.*" "$CONFIG" | cut -d= -f 2-
+}
+
+reload_keyring() {
+ local PACMAN_SHARE_DIR='@prefix@/share/pacman'
+ local GPG_NOKEYRING="gpg --batch --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir ${PACMAN_KEYRING_DIR}"
+
+ # Variable used for iterating on keyrings
+ local key
+ local key_id
+
+ # Keyring with keys to be added to the keyring
+ local ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg"
+
+ # Keyring with keys that were deprecated and will eventually be deleted
+ local DEPRECATED_KEYS="${PACMAN_SHARE_DIR}/deprecatedkeys.gpg"
+
+ # List of keys removed from the keyring. This file is not a keyring, unlike the others.
+ # It is a textual list of values that gpg recogniezes as identifiers for keys.
+ local REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys"
+
+ # Verify signatures of related files, if they exist
+ if [[ -r "${ADDED_KEYS}" ]]; then
+ msg "$(gettext "Verifying official keys file signature...")"
+ if ! ${GPG_PACMAN} --quiet --batch --verify "${ADDED_KEYS}.sig" 1>/dev/null; then
+ error "$(gettext "The signature of file %s is not valid.")" "${ADDED_KEYS}"
+ exit 1
+ fi
+ fi
+
+ if [[ -r "${DEPRECATED_KEYS}" ]]; then
+ msg "$(gettext "Verifying deprecated keys file signature...")"
+ if ! ${GPG_PACMAN} --quiet --batch --verify "${DEPRECATED_KEYS}.sig" 1>/dev/null; then
+ error "$(gettext "The signature of file %s is not valid.")" "${DEPRECATED_KEYS}"
+ exit 1
+ fi
+ fi
+
+ if [[ -r "${REMOVED_KEYS}" ]]; then
+ msg "$(gettext "Verifying deleted keys file signature...")"
+ if ! ${GPG_PACMAN} --quiet --batch --verify "${REMOVED_KEYS}.sig"; then
+ error "$(gettext "The signature of file %s is not valid.")" "${REMOVED_KEYS}"
+ exit 1
+ fi
+ fi
+
+ # Read the key ids to an array. The conversion from whatever is inside the file
+ # to key ids is important, because key ids are the only guarantee of identification
+ # for the keys.
+ local -A removed_ids
+ if [[ -r "${REMOVED_KEYS}" ]]; then
+ while read key; do
+ local key_values name
+ key_values=$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5,10 --output-delimiter=' ')
+ if [[ -n $key_values ]]; then
+ # The first word is the key_id
+ key_id=${key_values%% *}
+ # the rest if the name of the owner
+ name=${key_values#* }
+ if [[ -n ${key_id} ]]; then
+ # Mark this key to be deleted
+ removed_ids[$key_id]="$name"
+ fi
+ fi
+ done < "${REMOVED_KEYS}"
+ fi
+
+ # List of keys that must be kept installed, even if in the list of keys to be removed
+ local HOLD_KEYS=$(find_config "HoldKeys")
+
+ # Remove the keys that must be kept from the set of keys that should be removed
+ if [[ -n ${HOLD_KEYS} ]]; then
+ for key in ${HOLD_KEYS}; do
+ key_id=$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)
+ if [[ -n "${removed_ids[$key_id]}" ]]; then
+ unset removed_ids[$key_id]
+ fi
+ done
+ fi
+
+ # Add keys from the current set of keys from pacman-keyring package. The web of trust will
+ # be updated automatically.
+ if [[ -r "${ADDED_KEYS}" ]]; then
+ msg "$(gettext "Appending official keys...")"
+ local add_keys=$(${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
+ for key_id in ${add_keys}; do
+ # There is no point in adding a key that will be deleted right after
+ if [[ -z "${removed_ids[$key_id]}" ]]; then
+ ${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
+ fi
+ done
+ fi
+
+ if [[ -r "${DEPRECATED_KEYS}" ]]; then
+ msg "$(gettext "Appending deprecated keys...")"
+ local add_keys=$(${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
+ for key_id in ${add_keys}; do
+ # There is no point in adding a key that will be deleted right after
+ if [[ -z "${removed_ids[$key_id]}" ]]; then
+ ${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
+ fi
+ done
+ fi
+
+ # Remove the keys not marked to keep
+ if (( ${#removed_ids[@]} > 0 )); then
+ msg "$(gettext "Removing deleted keys from keyring...")"
+ for key_id in "${!removed_ids[@]}"; do
+ echo " removing key $key_id - ${removed_ids[$key_id]}"
+ ${GPG_PACMAN} --quiet --batch --yes --delete-key "${key_id}"
+ done
+ fi
+
+ # Update trustdb, just to be sure
+ msg "$(gettext "Updating trust database...")"
+ ${GPG_PACMAN} --batch --check-trustdb
+}
+
+# PROGRAM START
+if ! type gettext &>/dev/null; then
+ gettext() {
+ echo "$@"
+ }
+fi
+
+if [[ $1 != "--version" && $1 != "-V" && $1 != "--help" && $1 != "-h" && $1 != "" ]]; then
+ if type -p gpg >/dev/null 2>&1 = 1; then
+ error "$(gettext "gnupg does not seem to be installed.")"
+ msg2 "$(gettext "pacman-key requires gnupg for most operations.")"
+ exit 1
+ elif (( EUID != 0 )); then
+ error "$(gettext "pacman-key needs to be run as root.")"
+ exit 1
+ fi
+fi
+
+# Parse global options
+CONFIG="@sysconfdir@/pacman.conf"
+PACMAN_KEYRING_DIR="@sysconfdir@/pacman.d/gnupg"
+while [[ $1 =~ ^--(config|gpgdir)$ ]]; do
+ case "$1" in
+ --config) shift; CONFIG="$1" ;;
+ --gpgdir) shift; PACMAN_KEYRING_DIR="$1" ;;
+ esac
+ shift
+done
+
+if [[ ! -r "${CONFIG}" ]]; then
+ error "$(gettext "%s not found.")" "$CONFIG"
+ exit 1
+fi
+
+# Read GPGDIR from $CONFIG.
+# The pattern is: any spaces or tabs, GPGDir, any spaces or tabs, equal sign
+# and the rest of the line. The string is splitted after the first occurrence of =
+if [[ GPGDIR=$(find_config "GPGDir") == 0 ]]; then
+ PACMAN_KEYRING_DIR="${GPGDIR}"
+fi
+GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR}"
+
+# Parse and execute command
+command="$1"
+if [[ -z "${command}" ]]; then
+ usage
+ exit 1
+fi
+shift
+
+case "${command}" in
+ -a|--add)
+ # If there is no extra parameter, gpg will read stdin
+ ${GPG_PACMAN} --quiet --batch --import "$@"
+ ;;
+ -d|--del)
+ if (( $# == 0 )); then
+ error "$(gettext "You need to specify at least one key identifier")"
+ exit 1
+ fi
+ ${GPG_PACMAN} --quiet --batch --delete-key --yes "$@"
+ ;;
+ -u|--updatedb)
+ ${GPG_PACMAN} --batch --check-trustdb
+ ;;
+ --reload)
+ reload_keyring
+ ;;
+ -l|--list)
+ ${GPG_PACMAN} --batch --list-sigs "$@"
+ ;;
+ -f|--finger)
+ ${GPG_PACMAN} --batch --fingerprint "$@"
+ ;;
+ -e|--export)
+ ${GPG_PACMAN} --armor --export "$@"
+ ;;
+ -r|--receive)
+ if (( $# < 2 )); then
+ error "$(gettext "You need to specify the keyserver and at least one key identifier")"
+ exit 1
+ fi
+ keyserver="$1"
+ shift
+ ${GPG_PACMAN} --keyserver "${keyserver}" --recv-keys "$@"
+ ;;
+ -t|--trust)
+ if (( $# == 0 )); then
+ error "$(gettext "You need to specify at least one key identifier")"
+ exit 1
+ fi
+ while (( $# > 0 )); do
+ # Verify if the key exists in pacman's keyring
+ if ${GPG_PACMAN} --list-keys "$1" > /dev/null 2>&1; then
+ ${GPG_PACMAN} --edit-key "$1"
+ else
+ error "$(gettext "The key identified by %s doesn't exist")" "$1"
+ exit 1
+ fi
+ shift
+ done
+ ;;
+ --adv)
+ msg "$(gettext "Executing: %s ")$*" "${GPG_PACMAN}"
+ ${GPG_PACMAN} "$@" || ret=$?
+ exit $ret
+ ;;
+ -h|--help)
+ usage; exit 0 ;;
+ -V|--version)
+ version; exit 0 ;;
+ *)
+ usage; exit 1 ;;
+esac