From a4120f2015ae4d5880642e16c81acadbab77555d Mon Sep 17 00:00:00 2001
From: Dan McGee <dan@archlinux.org>
Date: Mon, 24 Aug 2009 13:23:44 -0500
Subject: repo-add: allow signing of the package database

In order to be fully secure, we can't only sign packages. We also need
to sign our repository metadata to prevent database falsification,
dependency injection, etc. Add an '-s/--sign' option that allows this
functionality, and will generate a .sig file side-by-side with the
package database.

While at it, fix the issue where a signature file would never be found
because of 'cd' madness (this needs fixing in another commit).

Signed-off-by: Dan McGee <dan@archlinux.org>
---
 doc/repo-add.8.txt     |  7 +++++++
 scripts/repo-add.sh.in | 23 +++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/doc/repo-add.8.txt b/doc/repo-add.8.txt
index 75f49ef5..26009f67 100644
--- a/doc/repo-add.8.txt
+++ b/doc/repo-add.8.txt
@@ -43,6 +43,13 @@ Options
 	Force this program to keep quiet and run silent except for warning and
 	error messages.
 
+*-s, \--sign*::
+	Generate a PGP signature file using GnuPG. This will execute `gpg
+	--detach-sign --use-agent` on the generated database to generate a detached
+	signature file, using the GPG agent if it is available. The signature file
+	will be the entire filename of the database with a ``.sig'' extension.
+
+
 See Also
 --------
 linkman:makepkg[8], linkman:pacman[8]
diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in
index 70cfd63c..ebe226a1 100644
--- a/scripts/repo-add.sh.in
+++ b/scripts/repo-add.sh.in
@@ -30,6 +30,7 @@ confdir='@sysconfdir@'
 QUIET=0
 DELTA=0
 WITHFILES=0
+SIGN=0
 REPO_DB_FILE=
 LOCKFILE=
 CLEAN_LOCK=0
@@ -184,6 +185,24 @@ db_remove_delta()
 	return 1
 } # end db_remove_delta
 
+# sign the package database once repackaged
+create_signature() {
+	(( ! SIGN )) && return
+	local dbfile="$1"
+	local ret=0
+	msg "$(gettext "Signing database...")"
+	if [ ! $(type -p "gpg") ]; then
+		error "$(gettext "Cannot find the gpg binary! Is gnupg installed?")"
+		exit 1 # $E_MISSING_PROGRAM
+	fi
+	gpg --detach-sign --use-agent "$dbfile" || ret=$?
+	if (( ! ret )); then
+		msg2 "$(gettext "Created signature file %s.")" "$dbfile.sig"
+	else
+		warning "$(gettext "Failed to sign package database.")"
+	fi
+}
+
 # write an entry to the pacman database
 #   arg1 - path to package
 db_write_entry()
@@ -488,6 +507,7 @@ for arg in "$@"; do
 		-q|--quiet) QUIET=1;;
 		-d|--delta) DELTA=1;;
 		-f|--files) WITHFILES=1;;
+		-s|--sign) SIGN=1;;
 		*)
 			if [[ -z $REPO_DB_FILE ]]; then
 				REPO_DB_FILE="$arg"
@@ -520,6 +540,7 @@ if (( success )); then
 	pushd "$tmpdir" >/dev/null
 	if [[ -n $(ls) ]]; then
 		bsdtar -c${TAR_OPT}f "$filename" *
+		create_signature "$filename"
 	else
 		# we have no packages remaining? zip up some emptyness
 		warning "$(gettext "No packages remain, creating empty database.")"
@@ -528,7 +549,9 @@ if (( success )); then
 	popd >/dev/null
 
 	[[ -f $REPO_DB_FILE ]] && mv -f "$REPO_DB_FILE" "${REPO_DB_FILE}.old"
+	[[ -f $REPO_DB_FILE.sig ]] && rm -f "$REPO_DB_FILE.sig"
 	[[ -f $tmpdir/$filename ]] && mv "$tmpdir/$filename" "$REPO_DB_FILE"
+	[[ -f $tmpdir/$filename.sig ]] && mv "$tmpdir/$filename.sig" "$REPO_DB_FILE.sig"
 	dblink="${REPO_DB_FILE%.tar.*}"
 	target=${REPO_DB_FILE##*/}
 	ln -sf "$target" "$dblink" 2>/dev/null || \
-- 
cgit v1.2.3-24-g4f1b