5 files changed, 431 insertions, 9 deletions
diff --git a/scripts/.gitignore b/scripts/.gitignore
index fe4616f2..927b14c8 100644
--- a/scripts/.gitignore
+++ b/scripts/.gitignore
@@ -5,3 +5,4 @@ rankmirrors
 repo-add
 repo-remove
 pkgdelta
+pacman-key
diff --git a/scripts/Makefile.am b/scripts/Makefile.am
index ae6ce366..7c64e81c 100644
--- a/scripts/Makefile.am
+++ b/scripts/Makefile.am
@@ -8,6 +8,7 @@ bin_SCRIPTS = \
 OURSCRIPTS = \
 	makepkg \
 	pacman-db-upgrade \
+	pacman-key \
 	pacman-optimize \
 	pkgdelta \
 	rankmirrors \
@@ -16,6 +17,7 @@ OURSCRIPTS = \
 EXTRA_DIST = \
 	makepkg.sh.in \
 	pacman-db-upgrade.sh.in \
+	pacman-key.sh.in \
 	pacman-optimize.sh.in \
 	pkgdelta.sh.in \
 	rankmirrors.sh.in \
@@ -64,6 +66,7 @@ $(OURSCRIPTS): Makefile
 
 makepkg: $(srcdir)/makepkg.sh.in
 pacman-db-upgrade: $(srcdir)/pacman-db-upgrade.sh.in
+pacman-key: ${srcdir}/pacman-key.sh.in
 pacman-optimize: $(srcdir)/pacman-optimize.sh.in
 pkgdelta: $(srcdir)/pkgdelta.sh.in
 rankmirrors: $(srcdir)/rankmirrors.sh.in
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index eb7c3701..143d48fc 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -392,7 +392,7 @@ run_pacman() {
 	local cmd
 	printf -v cmd "%q " "$PACMAN" $PACMAN_OPTS "$@"
 	if (( ! ASROOT )) && [[ ! $1 =~ ^-(T|Qq)$ ]]; then
-		if [ "$(type -p sudo)" ]; then
+		if type -p sudo >/dev/null; then
 			cmd="sudo $cmd"
 		else
 			cmd="su -c '$cmd'"
@@ -1068,6 +1068,9 @@ create_package() {
 	local pkg_file="$PKGDEST/${nameofpkg}-${fullver}-${PKGARCH}${PKGEXT}"
 	local ret=0
 
+	[[ -f $pkg_file ]] && rm -f "$pkg_file"
+	[[ -f $pkg_file.sig ]] && rm -f "$pkg_file.sig"
+
 	# when fileglobbing, we want * in an empty directory to expand to
 	# the null string rather than itself
 	shopt -s nullglob
@@ -1089,9 +1092,12 @@ create_package() {
 		exit 1 # TODO: error code
 	fi
 
+	create_signature "$pkg_file"
+
 	if (( ! ret )) && [[ ! "$PKGDEST" -ef "${startdir}" ]]; then
 		ln -sf "${pkg_file}" "${pkg_file/$PKGDEST/$startdir}"
 		ret=$?
+		[[ -f $pkg_file.sig ]] && ln -sf "$pkg_file.sig" "${pkg_file/$PKGDEST/$startdir}.sig"
 	fi
 
 	if (( ret )); then
@@ -1099,6 +1105,25 @@ create_package() {
 	fi
 }
 
+create_signature() {
+	if [[ $(check_buildenv sign) != "y" ]]; then
+		return
+	fi
+	local ret=0
+	local filename="$1"
+	msg "$(gettext "Signing package...")"
+	if ! type -p gpg >/dev/null; then
+		error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
+		exit 1 # $E_MISSING_PROGRAM
+	fi
+	gpg --detach-sign --use-agent "$filename" || ret=$?
+	if (( ! ret )); then
+		msg2 "$(gettext "Created signature file %s.")" "$filename.sig"
+	else
+		warning "$(gettext "Failed to sign package file.")"
+	fi
+}
+
 create_srcpackage() {
 	cd "$startdir"
 
@@ -1688,6 +1713,8 @@ done
 [[ -n ${PKGDEST} ]] && _PKGDEST=$(canonicalize_path ${PKGDEST})
 [[ -n ${SRCDEST} ]] && _SRCDEST=$(canonicalize_path ${SRCDEST})
 [[ -n ${SRCPKGDEST} ]] && _SRCPKGDEST=$(canonicalize_path ${SRCPKGDEST})
+[[ -n ${PKGEXT} ]] && _PKGEXT=${PKGEXT}
+[[ -n ${SRCEXT} ]] && _SRCEXT=${SRCEXT}
 
 # default config is makepkg.conf
 MAKEPKG_CONF=${MAKEPKG_CONF:-$confdir/makepkg.conf}
@@ -1751,6 +1778,8 @@ fi
 SRCPKGDEST=${_SRCPKGDEST:-$SRCPKGDEST}
 SRCPKGDEST=${SRCPKGDEST:-$startdir} #default to $startdir if undefined
 
+PKGEXT=${_PKGEXT:-$PKGEXT}
+SRCEXT=${_SRCEXT:-$SRCEXT}
 
 if (( HOLDVER )) && [[ -n $FORCE_VER ]]; then
 	# The '\\0' is here to prevent gettext from thinking --holdver is an option
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
new file mode 100644
index 00000000..5746e64f
--- /dev/null
+++ b/scripts/pacman-key.sh.in
@@ -0,0 +1,320 @@
+#!@BASH_SHELL@ -e
+#
+#   pacman-key - manages pacman's keyring
+#                Based on apt-key, from Debian
+#   @configure_input@
+#
+#   Copyright (c) 2010 - Pacman Development Team <pacman-dev@archlinux.org>
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+# gettext initialization
+export TEXTDOMAIN='pacman'
+export TEXTDOMAINDIR='@localedir@'
+
+myver="@PACKAGE_VERSION@"
+
+msg() {
+	local mesg=$1; shift
+	printf "==> ${mesg}\n" "$@" >&1
+}
+
+msg2() {
+	(( QUIET )) && return
+	local mesg=$1; shift
+	printf "  -> ${mesg}\n" "$@" >&1
+}
+
+warning() {
+	local mesg=$1; shift
+	printf "==> $(gettext "WARNING:") ${mesg}\n" "$@" >&2
+}
+
+error() {
+	local mesg=$1; shift
+	printf "==> $(gettext "ERROR:") ${mesg}\n" "$@" >&2
+}
+
+usage() {
+	printf "pacman-key (pacman) %s\n" ${myver}
+	echo
+	printf "$(gettext "Usage: %s [options] <command> [arguments]")\n" $(basename $0)
+	echo
+	echo "$(gettext "Manage pacman's list of trusted keys")"
+	echo
+	echo "$(gettext "Options must be placed before commands. The available options are:")"
+	printf "$(gettext "  --config <file>  Use an alternate config file (instead of '%s')")\n" "$CONFIG"
+	echo "$(gettext "  --gpgdir         Set an alternate directory for gnupg")"
+	echo
+	echo "$(gettext "The available commands are:")"
+	echo "$(gettext "  -a, --add [<file(s)>]     Add the specified keys (empty for stdin)")"
+	echo "$(gettext "  -d, --del <keyid(s)>      Remove the specified keyids")"
+	echo "$(gettext "  -e, --export <keyid(s)>   Export the specified keyids")"
+	echo "$(gettext "  -f, --finger [<keyid(s)>] List fingerprint for specified or all keyids")"
+	echo "$(gettext "  -h, --help                This help")"
+	echo "$(gettext "  -l, --list                List keys")"
+	echo "$(gettext "  -r, --receive <keyserver> <keyid(s)> Fetch the specified keyids")"
+	echo "$(gettext "  -t, --trust <keyid(s)>    Set the trust level of the given keyids")"
+	echo "$(gettext "  -u, --updatedb            Update the trustdb of pacman")"
+	echo "$(gettext "  -V, --version             Show program version")"
+	echo "$(gettext "  --adv <params>            Use pacman's keyring with advanced gpg commands")"
+	printf "$(gettext "  --reload                  Reload the default keys")"
+	echo
+}
+
+version() {
+	printf "pacman-key (pacman) %s\n" "${myver}"
+	printf "$(gettext "\
+Copyright (c) 2010-2011 Pacman Development Team <pacman-dev@archlinux.org>.\n\
+This is free software; see the source for copying conditions.\n\
+There is NO WARRANTY, to the extent permitted by law.\n")"
+}
+
+find_config() {
+	# Prints on stdin the values of all the options from the configuration file that
+	# are associated with the first parameter of this function.
+	# The option names are stripped
+	grep -e "^[[:blank:]]*$1[[:blank:]]*=.*" "$CONFIG" | cut -d= -f 2-
+}
+
+reload_keyring() {
+	local PACMAN_SHARE_DIR='@prefix@/share/pacman'
+	local GPG_NOKEYRING="gpg --batch --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir ${PACMAN_KEYRING_DIR}"
+
+	# Variable used for iterating on keyrings
+	local key
+	local key_id
+
+	# Keyring with keys to be added to the keyring
+	local ADDED_KEYS="${PACMAN_SHARE_DIR}/addedkeys.gpg"
+
+	# Keyring with keys that were deprecated and will eventually be deleted
+	local DEPRECATED_KEYS="${PACMAN_SHARE_DIR}/deprecatedkeys.gpg"
+
+	# List of keys removed from the keyring. This file is not a keyring, unlike the others.
+	# It is a textual list of values that gpg recogniezes as identifiers for keys.
+	local REMOVED_KEYS="${PACMAN_SHARE_DIR}/removedkeys"
+
+	# Verify signatures of related files, if they exist
+	if [[ -r "${ADDED_KEYS}" ]]; then
+		msg "$(gettext "Verifying official keys file signature...")"
+		if ! ${GPG_PACMAN} --quiet --batch --verify "${ADDED_KEYS}.sig" 1>/dev/null; then
+			error "$(gettext "The signature of file %s is not valid.")" "${ADDED_KEYS}"
+			exit 1
+		fi
+	fi
+
+	if [[ -r "${DEPRECATED_KEYS}" ]]; then
+		msg "$(gettext "Verifying deprecated keys file signature...")"
+		if ! ${GPG_PACMAN} --quiet --batch --verify "${DEPRECATED_KEYS}.sig" 1>/dev/null; then
+			error "$(gettext "The signature of file %s is not valid.")" "${DEPRECATED_KEYS}"
+			exit 1
+		fi
+	fi
+
+	if [[ -r "${REMOVED_KEYS}" ]]; then
+		msg "$(gettext "Verifying deleted keys file signature...")"
+		if ! ${GPG_PACMAN} --quiet --batch --verify "${REMOVED_KEYS}.sig"; then
+			error "$(gettext "The signature of file %s is not valid.")" "${REMOVED_KEYS}"
+			exit 1
+		fi
+	fi
+
+	# Read the key ids to an array. The conversion from whatever is inside the file
+	# to key ids is important, because key ids are the only guarantee of identification
+	# for the keys.
+	local -A removed_ids
+	if [[ -r "${REMOVED_KEYS}" ]]; then
+		while read key; do
+			local key_values name
+			key_values=$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5,10 --output-delimiter=' ')
+			if [[ -n $key_values ]]; then
+				# The first word is the key_id
+				key_id=${key_values%% *}
+				# the rest if the name of the owner
+				name=${key_values#* }
+				if [[ -n ${key_id} ]]; then
+					# Mark this key to be deleted
+					removed_ids[$key_id]="$name"
+				fi
+			fi
+		done < "${REMOVED_KEYS}"
+	fi
+
+	# List of keys that must be kept installed, even if in the list of keys to be removed
+	local HOLD_KEYS=$(find_config "HoldKeys")
+
+	# Remove the keys that must be kept from the set of keys that should be removed
+	if [[ -n ${HOLD_KEYS} ]]; then
+		for key in ${HOLD_KEYS}; do
+			key_id=$(${GPG_PACMAN} --quiet --with-colons --list-key "${key}" | grep ^pub | cut -d: -f5)
+			if [[ -n "${removed_ids[$key_id]}" ]]; then
+				unset removed_ids[$key_id]
+			fi
+		done
+	fi
+
+	# Add keys from the current set of keys from pacman-keyring package. The web of trust will
+	# be updated automatically.
+	if [[ -r "${ADDED_KEYS}" ]]; then
+		msg "$(gettext "Appending official keys...")"
+		local add_keys=$(${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
+		for key_id in ${add_keys}; do
+			# There is no point in adding a key that will be deleted right after
+			if [[ -z "${removed_ids[$key_id]}" ]]; then
+				${GPG_NOKEYRING} --keyring "${ADDED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
+			fi
+		done
+	fi
+
+	if [[ -r "${DEPRECATED_KEYS}" ]]; then
+		msg "$(gettext "Appending deprecated keys...")"
+		local add_keys=$(${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --with-colons --list-keys | grep ^pub | cut -d: -f5)
+		for key_id in ${add_keys}; do
+			# There is no point in adding a key that will be deleted right after
+			if [[ -z "${removed_ids[$key_id]}" ]]; then
+				${GPG_NOKEYRING} --keyring "${DEPRECATED_KEYS}" --export "${key_id}" | ${GPG_PACMAN} --import
+			fi
+		done
+	fi
+
+	# Remove the keys not marked to keep
+	if (( ${#removed_ids[@]} > 0 )); then
+		msg "$(gettext "Removing deleted keys from keyring...")"
+		for key_id in "${!removed_ids[@]}"; do
+			echo "  removing key $key_id - ${removed_ids[$key_id]}"
+			${GPG_PACMAN} --quiet --batch --yes --delete-key "${key_id}"
+		done
+	fi
+
+	# Update trustdb, just to be sure
+	msg "$(gettext "Updating trust database...")"
+	${GPG_PACMAN} --batch --check-trustdb
+}
+
+# PROGRAM START
+if ! type gettext &>/dev/null; then
+	gettext() {
+		echo "$@"
+	}
+fi
+
+if [[ $1 != "--version" && $1 != "-V" && $1 != "--help" && $1 != "-h" && $1 != "" ]]; then
+	if type -p gpg >/dev/null 2>&1 = 1; then
+		error "$(gettext "gnupg does not seem to be installed.")"
+		msg2 "$(gettext "pacman-key requires gnupg for most operations.")"
+		exit 1
+	elif (( EUID != 0 )); then
+		error "$(gettext "pacman-key needs to be run as root.")"
+		exit 1
+	fi
+fi
+
+# Parse global options
+CONFIG="@sysconfdir@/pacman.conf"
+PACMAN_KEYRING_DIR="@sysconfdir@/pacman.d/gnupg"
+while [[ $1 =~ ^--(config|gpgdir)$ ]]; do
+	case "$1" in
+		--config) shift; CONFIG="$1" ;;
+		--gpgdir) shift; PACMAN_KEYRING_DIR="$1" ;;
+	esac
+	shift
+done
+
+if [[ ! -r "${CONFIG}" ]]; then
+	error "$(gettext "%s not found.")" "$CONFIG"
+	exit 1
+fi
+
+# Read GPGDIR from $CONFIG.
+# The pattern is: any spaces or tabs, GPGDir, any spaces or tabs, equal sign
+# and the rest of the line. The string is splitted after the first occurrence of =
+if [[ GPGDIR=$(find_config "GPGDir") == 0 ]]; then
+	PACMAN_KEYRING_DIR="${GPGDIR}"
+fi
+GPG_PACMAN="gpg --homedir ${PACMAN_KEYRING_DIR}"
+
+# Parse and execute command
+command="$1"
+if [[ -z "${command}" ]]; then
+	usage
+	exit 1
+fi
+shift
+
+case "${command}" in
+	-a|--add)
+		# If there is no extra parameter, gpg will read stdin
+		${GPG_PACMAN} --quiet --batch --import "$@"
+		;;
+	-d|--del)
+		if (( $# == 0 )); then
+			error "$(gettext "You need to specify at least one key identifier")"
+			exit 1
+		fi
+		${GPG_PACMAN} --quiet --batch --delete-key --yes "$@"
+		;;
+	-u|--updatedb)
+		${GPG_PACMAN} --batch --check-trustdb
+		;;
+	--reload)
+		reload_keyring
+		;;
+	-l|--list)
+		${GPG_PACMAN} --batch --list-sigs "$@"
+		;;
+	-f|--finger)
+		${GPG_PACMAN} --batch --fingerprint "$@"
+		;;
+	-e|--export)
+		${GPG_PACMAN} --armor --export "$@"
+		;;
+	-r|--receive)
+		if (( $# < 2 )); then
+			error "$(gettext "You need to specify the keyserver and at least one key identifier")"
+			exit 1
+		fi
+		keyserver="$1"
+		shift
+		${GPG_PACMAN} --keyserver "${keyserver}" --recv-keys "$@"
+		;;
+	-t|--trust)
+		if (( $# == 0 )); then
+			error "$(gettext "You need to specify at least one key identifier")"
+			exit 1
+		fi
+		while (( $# > 0 )); do
+			# Verify if the key exists in pacman's keyring
+			if ${GPG_PACMAN} --list-keys "$1" > /dev/null 2>&1; then
+				${GPG_PACMAN} --edit-key "$1"
+			else
+				error "$(gettext "The key identified by %s doesn't exist")" "$1"
+				exit 1
+			fi
+			shift
+		done
+		;;
+	--adv)
+		msg "$(gettext "Executing: %s ")$*" "${GPG_PACMAN}"
+		${GPG_PACMAN} "$@" || ret=$?
+		exit $ret
+		;;
+	-h|--help)
+		usage; exit 0 ;;
+	-V|--version)
+		version; exit 0 ;;
+	*)
+		usage; exit 1 ;;
+esac
diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in
index dfc93974..1c0347cc 100644
--- a/scripts/repo-add.sh.in
+++ b/scripts/repo-add.sh.in
@@ -30,6 +30,8 @@ confdir='@sysconfdir@'
 QUIET=0
 DELTA=0
 WITHFILES=0
+SIGN=0
+VERIFY=0
 REPO_DB_FILE=
 LOCKFILE=
 CLEAN_LOCK=0
@@ -62,7 +64,7 @@ error() {
 # print usage instructions
 usage() {
 	printf "repo-add, repo-remove (pacman) %s\n\n" "$myver"
-	printf "$(gettext "Usage: repo-add [-d] [-f] [-q] <path-to-db> <package|delta> ...\n")"
+	printf "$(gettext "Usage: repo-add [-d] [-f] [-q] [-s] [-v] <path-to-db> <package|delta> ...\n")"
 	printf "$(gettext "Usage: repo-remove [-q] <path-to-db> <packagename|delta> ...\n\n")"
 	printf "$(gettext "\
 repo-add will update a package database by reading a package file.\n\
@@ -79,7 +81,8 @@ Use the -d/--delta flag to automatically generate and add a delta file\n\
 between the old entry and the new one, if the old package file is found\n\
 next to the new one.\n\n")"
 	printf "$(gettext "\
-Use the -f/--files flag to update a database including file entries.\n\n")"
+Use the -f/--files flag to update a database including file entries.\n\n
+See repo-add(8) for more details and descriptions of the available options.\n\n")"
 	echo "$(gettext "Example:  repo-add /path/to/repo.db.tar.gz pacman-3.0.0.pkg.tar.gz")"
 	echo "$(gettext "Example:  repo-remove /path/to/repo.db.tar.gz kernel26")"
 }
@@ -184,14 +187,56 @@ db_remove_delta()
 	return 1
 } # end db_remove_delta
 
+# sign the package database once repackaged
+create_signature() {
+	(( ! SIGN )) && return
+	local dbfile="$1"
+	local ret=0
+	msg "$(gettext "Signing database...")"
+	if ! type -p gpg; then
+		error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
+		exit 1 # $E_MISSING_PROGRAM
+	fi
+	gpg --detach-sign --use-agent "$dbfile" || ret=$?
+	if (( ! ret )); then
+		msg2 "$(gettext "Created signature file %s.")" "$dbfile.sig"
+	else
+		warning "$(gettext "Failed to sign package database.")"
+	fi
+}
+
+# verify the existing package database signature
+verify_signature() {
+	(( ! VERIFY )) && return
+	local dbfile="$1"
+	local ret=0
+	msg "$(gettext "Verifying database signature...")"
+	if ! type -p gpg; then
+		error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
+		exit 1 # $E_MISSING_PROGRAM
+	fi
+	if [[ ! -f $dbfile.sig ]]; then
+		warning "$(gettext "No existing signature found, skipping verification.")"
+		return
+	fi
+	gpg --verify "$dbfile.sig" || ret=$?
+	if (( ! ret )); then
+		msg2 "$(gettext "Database signature file verified.")"
+	else
+		error "$(gettext "Database signature was NOT valid!")"
+		exit 1
+	fi
+}
+
 # write an entry to the pacman database
 #   arg1 - path to package
 db_write_entry()
 {
 	# blank out all variables
 	local pkgfile="$1"
-	local pkgname pkgver pkgdesc csize size md5sum url arch builddate packager \
-		_groups _licenses _replaces _depends _conflicts _provides _optdepends
+	local pkgname pkgver pkgdesc csize size url arch builddate packager \
+		_groups _licenses _replaces _depends _conflicts _provides _optdepends \
+		md5sum sha256sum pgpsig
 
 	local OLDIFS="$IFS"
 	# IFS (field separator) is only the newline character
@@ -219,10 +264,19 @@ db_write_entry()
 
 	IFS=$OLDIFS
 
-	# get md5sum and compressed size of package
+	csize=$(@SIZECMD@ "$pkgfile")
+
+	# compute checksums
+	msg2 "$(gettext "Computing checksums...")"
 	md5sum="$(openssl dgst -md5 "$pkgfile")"
 	md5sum="${md5sum##* }"
-	csize=$(@SIZECMD@ "$pkgfile")
+	sha256sum="$(openssl dgst -sha256 "$pkgfile")"
+	sha256sum="${sha256sum##* }"
+
+	# compute base64'd PGP signature
+	if [[ -f "$pkgfile.sig" ]]; then
+		pgpsig=$(openssl base64 -in "$pkgfile.sig" | tr -d '\n')
+	fi
 
 	# ensure $pkgname and $pkgver variables were found
 	if [[ -z $pkgname || -z $pkgver ]]; then
@@ -264,9 +318,12 @@ db_write_entry()
 	[[ -n $csize ]] && echo -e "%CSIZE%\n$csize\n" >>desc
 	[[ -n $size ]] && echo -e "%ISIZE%\n$size\n" >>desc
 
-	# compute checksums
-	msg2 "$(gettext "Computing md5 checksums...")"
+	# add checksums
 	echo -e "%MD5SUM%\n$md5sum\n" >>desc
+	echo -e "%SHA256SUM%\n$sha256sum\n" >>desc
+
+	# add PGP sig
+	[[ -n $pgpsig ]] && echo -e "%PGPSIG%\n$pgpsig\n" >>desc
 
 	[[ -n $url ]] && echo -e "%URL%\n$url\n" >>desc
 	write_list_entry "LICENSE" "$_licenses" "desc"
@@ -352,6 +409,7 @@ check_repo_db()
 				exit 1
 			fi
 		fi
+		verify_signature "$REPO_DB_FILE"
 		msg "$(gettext "Extracting database to a temporary location...")"
 		bsdtar -xf "$REPO_DB_FILE" -C "$tmpdir"
 	else
@@ -482,6 +540,8 @@ for arg in "$@"; do
 		-q|--quiet) QUIET=1;;
 		-d|--delta) DELTA=1;;
 		-f|--files) WITHFILES=1;;
+		-s|--sign) SIGN=1;;
+		-v|--verify) VERIFY=1;;
 		*)
 			if [[ -z $REPO_DB_FILE ]]; then
 				REPO_DB_FILE="$arg"
@@ -519,15 +579,24 @@ if (( success )); then
 		warning "$(gettext "No packages remain, creating empty database.")"
 		bsdtar -c${TAR_OPT}f "$filename" -T /dev/null
 	fi
+	create_signature "$filename"
+
 	popd >/dev/null
 
 	[[ -f $REPO_DB_FILE ]] && mv -f "$REPO_DB_FILE" "${REPO_DB_FILE}.old"
+	[[ -f $REPO_DB_FILE.sig ]] && rm -f "$REPO_DB_FILE.sig"
 	[[ -f $tmpdir/$filename ]] && mv "$tmpdir/$filename" "$REPO_DB_FILE"
+	[[ -f $tmpdir/$filename.sig ]] && mv "$tmpdir/$filename.sig" "$REPO_DB_FILE.sig"
 	dblink="${REPO_DB_FILE%.tar.*}"
 	target=${REPO_DB_FILE##*/}
 	ln -sf "$target" "$dblink" 2>/dev/null || \
 		ln -f "$target" "$dblink" 2>/dev/null || \
 		cp "$REPO_DB_FILE" "$dblink"
+	if [[ -f "$target.sig" ]]; then
+		ln -sf "$target.sig" "$dblink.sig" 2>/dev/null || \
+			ln -f "$target.sig" "$dblink.sig" 2>/dev/null || \
+			cp "$REPO_DB_FILE.sig" "$dblink.sig"
+	fi
 else
 	msg "$(gettext "No packages modified, nothing to do.")"
 	exit 1