From 50f53b293c0ff823065e7a98d288787ca7bd4ba9 Mon Sep 17 00:00:00 2001
From: Dan McGee <dan@archlinux.org>
Date: Mon, 29 Aug 2011 12:52:51 -0500
Subject: pacman-key: add --lsign-key operation

This allows local signing of a given key to help establish the web of
trust rooted at the generated (or imported) master key.

Signed-off-by: Dan McGee <dan@archlinux.org>
---
 scripts/pacman-key.sh.in | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

(limited to 'scripts')

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 8f108250..14ea07d5 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -37,6 +37,7 @@ IMPORT_TRUSTDB=0
 INIT=0
 LISTKEYS=0
 LISTSIGS=0
+LSIGNKEY=0
 POPULATE=0
 RECEIVE=0
 UPDATEDB=0
@@ -178,6 +179,13 @@ check_keyring() {
 		fi
 	fi
 
+	if (( LSIGNKEY )); then
+		if [[ $(secret_keys_available) -lt 1 ]]; then
+			error "$(gettext "There is no secret key available to sign with.")"
+			msg "$(gettext "Use '%s' to generate a default secret key.")" "pacman-key --init"
+			exit 1
+		fi
+	fi
 }
 
 verify_keyring_input() {
@@ -357,7 +365,7 @@ fi
 OPT_SHORT="a::d:e:f::hl::r:uv:V"
 OPT_LONG="add::,config:,delete:,edit-key:,export::,finger::,gpgdir:"
 OPT_LONG+=",help,import:,import-trustdb:,init,list-keys::,list-sigs::"
-OPT_LONG+=",populate::,receive:,updatedb,verify:,version"
+OPT_LONG+=",lsign-key:,populate::,receive:,updatedb,verify:,version"
 if ! OPT_TEMP="$(parse_options $OPT_SHORT $OPT_LONG "$@")"; then
 	echo; usage; exit 1 # E_INVALID_OPTION;
 fi
@@ -383,6 +391,7 @@ while true; do
 		--init)           INIT=1 ;;
 		-l|--list-keys)   LISTKEYS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
 		--list-sigs)      LISTSIGS=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYIDS=($1) ;;
+		--lsign-key)      LSIGNKEY=1; shift; KEYIDS=($1); UPDATEDB=1 ;;
 		--populate)       POPULATE=1; [[ -n $2 && ${2:0:1} != "-" ]] && shift && KEYRINGIDS=($1); UPDATEDB=1 ;;
 		-r|--receive)     RECEIVE=1; shift; TMP=($1); KEYSERVER=${TMP[0]}; KEYIDS=(${TMP[@]:1}); unset TMP; UPDATEDB=1 ;;
 		-u|--updatedb)    UPDATEDB=1 ;;
@@ -403,7 +412,7 @@ if ! type -p gpg >/dev/null; then
 	exit 1
 fi
 
-if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || POPULATE || RECEIVE || UPDATEDB) && EUID != 0 )); then
+if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || LSIGNKEY || POPULATE || RECEIVE || UPDATEDB) && EUID != 0 )); then
 	error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key"
 	exit 1
 fi
@@ -423,7 +432,7 @@ GPG_PACMAN=(gpg --homedir ${PACMAN_KEYRING_DIR} --no-permission-warning)
 # check only a single operation has been given
 # don't include UPDATEDB in here as other opts can induce it
 numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + IMPORT + IMPORT_TRUSTDB +
-		INIT + LISTKEYS + LISTSIGS + POPULATE + RECEIVE + VERIFY ))
+		INIT + LISTKEYS + LISTSIGS + LSIGNKEY + POPULATE + RECEIVE + VERIFY ))
 
 case $numopt in
 	0)
@@ -451,6 +460,8 @@ esac
 (( INIT )) && initialize
 (( LISTKEYS )) && "${GPG_PACMAN[@]}" --batch --list-keys "${KEYIDS[@]}"
 (( LISTSIGS )) && "${GPG_PACMAN[@]}" --batch --list-sigs "${KEYIDS[@]}"
+# TODO: we can't do --batch on lsign until we figure out --command-fd
+(( LSIGNKEY )) && "${GPG_PACMAN[@]}" --lsign-key "${KEYIDS[@]}"
 (( POPULATE )) && populate_keyring
 (( RECEIVE )) && receive_keys
 (( VERIFY )) && "${GPG_PACMAN[@]}" --verify $SIGNATURE
-- 
cgit v1.2.3-24-g4f1b