summaryrefslogtreecommitdiffstats
path: root/scripts
diff options
context:
space:
mode:
authorDan McGee <dan@archlinux.org>2011-08-26 01:39:11 +0200
committerDan McGee <dan@archlinux.org>2011-08-30 15:23:46 +0200
commit7479bf21e85c118067351769cdc9f1fd589ac4dc (patch)
treefcc5275770af699d4c050199d6b13cb93bd2e647 /scripts
parent06b228b20fff23500e5bb9bc8cdf96a86ca244e8 (diff)
downloadpacman-7479bf21e85c118067351769cdc9f1fd589ac4dc.tar.gz
pacman-7479bf21e85c118067351769cdc9f1fd589ac4dc.tar.xz
pacman-key master key generation
This enables pacman-key, during --init, to generate a single secret key for the pacman keyring if one is not present. This will be used as the root of the web of trust for those that do not wish to manage it with their own key, as will be the default. This does not preclude later adding other secret keys to the keyring, or removing this one- we simply ensure you have at least one secret key available. Signed-off-by: Dan McGee <dan@archlinux.org>
Diffstat (limited to 'scripts')
-rw-r--r--scripts/pacman-key.sh.in25
1 files changed, 25 insertions, 0 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index c200d8e4..8f108250 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -100,6 +100,25 @@ get_from() {
return 1
}
+generate_master_key() {
+ # Generate the master key, which will be in both pubring and secring
+ "${GPG_PACMAN[@]}" --gen-key --batch <<EOF
+%echo Generating pacman keychain master key...
+Key-Type: RSA
+Key-Length: 2048
+Key-Usage: sign
+Name-Real: Pacman Keychain Master Key
+Name-Email: pacman@localhost
+Expire-Date: 0
+%commit
+%echo Done
+EOF
+}
+
+secret_keys_available() {
+ "${GPG_PACMAN[@]}" -K --with-colons | wc -l
+}
+
# Adds the given gpg.conf option if it is not present in the file.
# Note that if we find it commented out, we won't add the option.
# args: $1 conffile, $2 option-name, $3 (optional) option-value
@@ -135,6 +154,12 @@ initialize() {
add_gpg_conf_option "$conffile" 'no-permission-warning'
add_gpg_conf_option "$conffile" 'lock-never'
add_gpg_conf_option "$conffile" 'keyserver' 'hkp://keys.gnupg.net'
+
+ # set up a private signing key (if none available)
+ if [[ $(secret_keys_available) -lt 1 ]]; then
+ generate_master_key
+ UPDATEDB=1
+ fi
}
check_keyring() {