>>>>> On Wed, 27 Nov 2024, Eli Schwartz wrote: > --- /dev/null > +++ b/eclass/sec-keys.eclass > @@ -0,0 +1,150 @@ > +# Copyright 2024 Gentoo Authors > +# Distributed under the terms of the GNU General Public License v2 > + > +# @ECLASS: sec-keys.eclass > +# @MAINTAINER: > +# Eli Schwartz <eschwa...@gentoo.org> > +# @AUTHOR: > +# Eli Schwartz <eschwa...@gentoo.org> > +# @SUPPORTED_EAPIS: 8 > +# @BLURB: Provides a uniform way of handling ebuilds which package PGP key > material > +# @DESCRIPTION: > +# This eclass provides a streamlined approach to finding suitable source > material > +# for OpenPGP keys used by the verify-sig eclass. Its primary purpose is to > permit > +# developers to easily and securely package new sec-keys/* packages. The > eclass > +# removes the risk of developers accidentally packaging malformed key > material, or > +# neglecting to notice when PGP identities have changed. > +# > +# To use the eclass, define SEC_KEYS_VALIDPGPKEYS to contain the fingerprint > of > +# the key and the short name of the key's owner.
Please wrap these comment lines to a line length of 70-ish characters
for readability.
Also, there should be two spaces after every full stop (except when it's
followed by a newline), so groff can recognise the sentence end in the
generated man page.
> +#
> +# @EXAMPLE:
> +# Example use:
> +#
> +# @CODE
> +# SEC_KEYS_VALIDPGPKEYS=(
> +# '4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github'
> +# )
> +#
> +# inherit sec-keys
> +# @CODE
> +
> +case ${EAPI} in
> + 8) ;;
> + *) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
> +esac
> +
> +if [[ ! ${_SEC_KEYS_ECLASS} ]]; then
> +_SEC_KEYS_ECLASS=1
> +
> +inherit edo
> +
> +# @ECLASS_VARIABLE: SEC_KEYS_VALIDPGPKEYS
> +# @PRE_INHERIT
> +# @DEFAULT_UNSET
> +# @DESCRIPTION:
> +# Mapping of fingerprints, name, and optional location of PGP keys to
> include,
> +# separated by colons. The allowed values for a location are:
> +#
> +# - github -- fetch key from github.com/${name}.pgp
> +#
> +# - openpgp -- fetch key by fingerprint from https://keys.openpgp.org
> +#
> +# - ubuntu -- fetch key by fingerprint from http://keyserver.ubuntu.com
> (the default)
> +#
> +# - none -- do not add to SRC_URI, the ebuild will provide a custom
> download location
> +_sec_keys_set_globals() {
> + if [[ ${SEC_KEYS_VALIDPGPKEYS[*]} ]]; then
Why is the if needed? If the array is empty, the following for loop
won't execute.
> + local key fingerprint name loc locations=() remote
> + for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do
> + fingerprint=${key%%:*}
> + name=${key#${fingerprint}:}; name=${name%%:*}
> + IFS=: read -r -a locations <<<"${key##*:}"
> + [[ ${locations[@]} ]] || locations=(ubuntu)
> + for loc in "${locations[@]}"; do
> + case ${loc} in
> + github)
> remote="https://github.com/${name}.gpg";;;
> + openpgp)
> remote="https://keys.openpgp.org/vks/v1/by-fingerprint/${fingerprint}";;;
> + ubuntu)
> remote="https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${fingerprint}";;;
> + # provided via manual SRC_URI
> + none) continue;;
> + *) die "${ECLASS}: unknown PGP key
> remote: ${loc}";;
> +
> + esac
> + SRC_URI+="
> + ${remote} ->
> openpgp-keys-${name}-${loc}-${PV}.asc
> + "
> + done
> + done
> + fi
> +}
> +_sec_keys_set_globals
> +unset -f _sec_keys_set_globals
> +
> +BDEPEND="app-crypt/gnupg"
> +S=${WORKDIR}
> +
> +LICENSE="public-domain"
> +SLOT="0"
> +
> +
> +# @FUNCTION: sec-keys_src_compile
> +# @DESCRIPTION:
> +# Default src_compile override that imports all public keys into a keyring,
> +# and validates that they are listed in SEC_KEYS_VALIDPGPKEYS.
> +sec-keys_src_compile() {
> + local -x GNUPGHOME=${WORKDIR}/gnupg
> + mkdir -m700 -p "${GNUPGHOME}" || die
> +
> + pushd "${DISTDIR}" >/dev/null || die
> + gpg --import ${A} || die
> + popd >/dev/null || die
> +
> + local line imported_keys=() found=0
> + while IFS=: read -r -a line; do
> + if [[ ${line[0]} = pub ]]; then
> + # new key
> + found=0
> + elif [[ ${found} = 0 && ${line[0]} = fpr ]]; then
> + # primary fingerprint
> + imported_keys+=("${line[9]}")
> + found=1
> + fi
> + done < <(gpg --batch --list-keys --keyid-format=long --with-colons ||
> die)
> +
> + printf '%s\n' "${imported_keys[@]}" | sort > imported_keys.list || die
> + printf '%s\n' "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}" | sort >
> allowed_keys.list || die
Maybe create these files in ${T} instead?
> +
> + local extra_keys=($(comm -23 imported_keys.list allowed_keys.list ||
> die))
> + local missing_keys=($(comm -13 imported_keys.list allowed_keys.list ||
> die))
> +
> + if [[ ${#extra_keys[@]} != 0 ]]; then
> + die "too many keys found. Suspicious keys: ${extra_keys[@]}"
> + fi
> + if [[ ${#missing_keys[@]} != 0 ]]; then
> + die "too few keys found. Unavailable keys: ${missing_keys[@]}"
> + fi
> +}
> +
> +# @FUNCTION: sec-keys_src_install
> +# @DESCRIPTION:
> +# Default src_install override that minifies and exports all PGP public keys
> +# into an ascii-armored keyfile installed to the standard
> /usr/share/openpgp-keys.
> +sec-keys_src_install() {
> + local -x GNUPGHOME=${WORKDIR}/gnupg
> + local fingerprint
> + local gpg_command=(gpg --no-permission-warning --export-options
> export-minimal)
> +
> + for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
> + local uids=()
> + mapfile -t uids < <("${gpg_command[@]}" --list-key
> --with-colons ${fingerprint} | awk -F: '/^uid/{print $10}' || die)
> + edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export
> --armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc || die
edo dies by itself, so "|| die" is not needed.
> + done
> +
> + insinto /usr/share/openpgp-keys
> + doins ${PN#openpgp-keys-}.asc
> +}
> +
> +fi
> +
> +EXPORT_FUNCTIONS src_compile src_install
signature.asc
Description: PGP signature
