summaryrefslogtreecommitdiff
path: root/Makefile
blob: 7988ecdd8d61663e740ef3efc3edda1d3b36c9aa (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
V=20150216

export LANG=C
export SHELL=/bin/bash

KEYSERVER = hkp://pool.sks-keyservers.net
KEYRING_NAME = parabola

GPG = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir output/cache/pacman-keyring/gpghome
MKDIRS = mkdir -p
FAIL = exit 1

dep_dir = $1 $(shell find $1)
users = $(call dep_dir,users)

all: PHONY pacman-keyring postfix-virtual-map

PREFIX = /usr/local

install:
	install -dm755 $(DESTDIR)$(PREFIX)/share/pacman/keyrings/
	install -m0644 parabola{.gpg,-trusted,-revoked} $(DESTDIR)$(PREFIX)/share/pacman/keyrings/

uninstall:
	rm -f $(DESTDIR)$(PREFIX)/share/pacman/keyrings/parabola{.gpg,-trusted,-revoked}
	rmdir -p --ignore-fail-on-non-empty $(DESTDIR)$(PREFIX)/share/pacman/keyrings/

dist:
	cp -rv output/pacman-keyring output/parabola-keyring-$(V)/
	cp -v Makefile output/parabola-keyring-$(V)/
	bsdtar czf output/parabola-keyring-$(V).tar.gz -C output parabola-keyring-$(V)/
	gpg --detach-sign --use-agent output/parabola-keyring-$(V).tar.gz

upload:
	scp output/parabola-keyring-$(V).tar.gz output/parabola-keyring-$(V).tar.gz.sig parabola:/srv/repo/main/other/parabola-keyring

clean: PHONY
	rm -rf output/cache

distclean: PHONY
	rm -rf output

####

postfix-virtual-map: PHONY output/postfix-virtual-map/virtual-parabola.nu

output/postfix-virtual-map/virtual-parabola.nu: ${users}
	${MKDIRS} ${@D}
	bin/postfix-generate-virtual-map > $@

####

pacman-keyring: PHONY \
	output/pacman-keyring/${KEYRING_NAME}.gpg \
	output/pacman-keyring/${KEYRING_NAME}-trusted \
	output/pacman-keyring/${KEYRING_NAME}-revoked

# Assemble the list of .asc files needed to generate the keyring
output/cache/pacman-keyring/deps.mk: ${users}
	$(MKDIRS) ${@D}
	{ \
		echo output/pacman-keyring/${KEYRING_NAME}.gpg: $$(bin/pgp-list-keyids | sed -r 's|(\S+) .*|output/cache/pacman-keyring/keys/\1.asc|') && \
		echo output/cache/pacman-keyring/stamp.ownertrust: $$(bin/pgp-list-keyids | sed -rn 's|^(trusted/\S+) .*|output/cache/pacman-keyring/keys/\1.asc|p') && \
		bin/uid-map | sed 's|.*|trusted:&\nsecondary:&\nrevoked:&|' | sed -r 's|(.*):(.*):(.*)|output/cache/pacman-keyring/keys/\1/\3.asc: users/\2.yml|' && \
	:; }> $@
-include output/cache/pacman-keyring/deps.mk

output/cache/pacman-keyring/stamp.gpg-init: gpg-init.txt
	${MKDIRS} ${@D} output/cache/pacman-keyring/gpghome
	${GPG} --gen-key < $<
	touch $@
output/cache/pacman-keyring/stamp.ownertrust: output/pacman-keyring/${KEYRING_NAME}-trusted output/cache/pacman-keyring/deps.mk
	${MKDIRS} ${@D}
	${GPG} --import-ownertrust < $< 2>/dev/null
	touch $@

output/pacman-keyring/${KEYRING_NAME}.gpg: output/cache/pacman-keyring/deps.mk
	$(MKDIRS) ${@D}
	cat $(filter %.asc,$^) > $@
output/pacman-keyring/${KEYRING_NAME}-trusted: ${users}
	$(MKDIRS) ${@D}
	bin/pgp-list-keyids | sed -rn 's|^trusted/\S+ (\S+)|\1:4:|p' > $@
output/pacman-keyring/${KEYRING_NAME}-revoked: ${users}
	$(MKDIRS) ${@D}
	bin/pgp-list-keyids | sed -rn 's|^revoked/\S+ ||p' > $@

# These 3 rules are mostly straight from "archlinux-keyring.git/update-keys"
# The appropriate .yml file is added as a dependency by deps.mk
keyid=$$(bin/pgp-get-keyid-by-uid $(patsubst users/%.yml,%,$(filter %.yml,$^)))
output/cache/pacman-keyring/keys/trusted/%.asc:   output/cache/pacman-keyring/stamp.gpg-init
	${MKDIRS} ${@D}
	${GPG} --recv-keys ${keyid} &>/dev/null
	printf 'minimize\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
	#${GPG} --yes --lsign-key ${keyid} &>/dev/null
	printf 'y\ny\n' | ${GPG} --command-fd 0 --lsign-key ${keyid} &>/dev/null
	${GPG} --armor --no-emit-version --export ${keyid} > $@
output/cache/pacman-keyring/keys/secondary/%.asc: output/cache/pacman-keyring/stamp.ownertrust
	${MKDIRS} ${@D}
	${GPG} --recv-keys ${keyid} &>/dev/null
	printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
	${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:' # make sure it is trusted
	${GPG} --armor --no-emit-version --export ${keyid} > $@
output/cache/pacman-keyring/keys/revoked/%.asc:   output/cache/pacman-keyring/stamp.ownertrust
	${MKDIRS} ${@D}
	${GPG} --recv-keys ${keyid} &>/dev/null
	printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
	! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:' # make sure it's not trusted
	${GPG} --armor --no-emit-version --export ${keyid} > $@

####

.PHONY: PHONY
.SECONDARY:
.DELETE_ON_ERROR: