diff options
author | Dan McGee <dan@archlinux.org> | 2011-08-29 19:52:51 +0200 |
---|---|---|
committer | Dan McGee <dan@archlinux.org> | 2011-08-30 15:39:26 +0200 |
commit | 50f53b293c0ff823065e7a98d288787ca7bd4ba9 (patch) | |
tree | db812d07c8f6723a27298efe84a1207ad637a113 | |
parent | 7479bf21e85c118067351769cdc9f1fd589ac4dc (diff) | |
download | pacman-50f53b293c0ff823065e7a98d288787ca7bd4ba9.tar.gz pacman-50f53b293c0ff823065e7a98d288787ca7bd4ba9.tar.xz |
pacman-key: add --lsign-key operation
This allows local signing of a given key to help establish the web of
trust rooted at the generated (or imported) master key.
Signed-off-by: Dan McGee <dan@archlinux.org>
-rw-r--r-- | scripts/pacman-key.sh.in | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 8f108250..14ea07d5 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -37,6 +37,7 @@ IMPORT_TRUSTDB=0 INIT=0 LISTKEYS=0 LISTSIGS=0 +LSIGNKEY=0 POPULATE=0 RECEIVE=0 UPDATEDB=0 @@ -178,6 +179,13 @@ check_keyring() { fi fi + if (( LSIGNKEY )); then + if [[ $(secret_keys_available) -lt 1 ]]; then + error "$(gettext "There is no secret key available to sign with.")" + msg "$(gettext "Use '%s' to generate a default secret key.")" "pacman-key --init" + exit 1 + fi + fi } verify_keyring_input() { @@ -357,7 +365,7 @@ fi OPT_SHORT="a::d:e:f::hl::r:uv:V" OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:" OPT_LONG+=",help,import:,import-trustdb:,init,list-keys::,list-sigs::" -OPT_LONG+=",populate::,receive:,updatedb,verify:,version" +OPT_LONG+=",lsign-key:,populate::,receive:,updatedb,verify:,version" if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then echo; usage; exit 1 # E_INVALID_OPTION; fi @@ -383,6 +391,7 @@ while true; do --init) INIT=1 ;; -l|--list-keys) LISTKEYS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;; --list-sigs) LISTSIGS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;; + --lsign-key) LSIGNKEY=1; shift; KEYIDS=($1); UPDATEDB=1 ;; --populate) POPULATE=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYRINGIDS=($1); UPDATEDB=1 ;; -r|--receive) RECEIVE=1; shift; TMP=($1); KEYSERVER=${TMP[0]}; KEYIDS=(${TMP[@]:1}); unset TMP; UPDATEDB=1 ;; -u|--updatedb) UPDATEDB=1 ;; @@ -403,7 +412,7 @@ if ! type -p gpg >/dev/null; then exit 1 fi -if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || POPULATE || RECEIVE || UPDATEDB) && EUID != 0 )); then +if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || LSIGNKEY || POPULATE || RECEIVE || UPDATEDB) && EUID != 0 )); then error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key" exit 1 fi @@ -423,7 +432,7 @@ GPG_PACMAN=(gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning) # check only a single operation has been given # don't include UPDATEDB in here as other opts can induce it numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + IMPORT + IMPORT_TRUSTDB + - INIT + LISTKEYS + LISTSIGS + POPULATE + RECEIVE + VERIFY )) + INIT + LISTKEYS + LISTSIGS + LSIGNKEY + POPULATE + RECEIVE + VERIFY )) case $numopt in 0) @@ -451,6 +460,8 @@ esac (( INIT )) && initialize (( LISTKEYS )) && "${GPG_PACMAN[@]}" --batch --list-keys "${KEYIDS[@]}" (( LISTSIGS )) && "${GPG_PACMAN[@]}" --batch --list-sigs "${KEYIDS[@]}" +# TODO: we can't do --batch on lsign until we figure out --command-fd +(( LSIGNKEY )) && "${GPG_PACMAN[@]}" --lsign-key "${KEYIDS[@]}" (( POPULATE )) && populate_keyring (( RECEIVE )) && receive_keys (( VERIFY )) && "${GPG_PACMAN[@]}" --verify $SIGNATURE |