diff options
author | Luke Shumaker <lukeshu@sbcglobal.net> | 2016-06-17 20:09:33 -0400 |
---|---|---|
committer | Luke Shumaker <lukeshu@sbcglobal.net> | 2016-06-17 20:09:33 -0400 |
commit | 4d12729aa4026229e4e118b924cc3b1c75ca214b (patch) | |
tree | abd9a69ec11504844148b1017f9e9601ef7e90b8 /scripts/pacman-make-keyring | |
parent | 4f175a22cf726bfa09652d8d9ca6374785561348 (diff) |
write setuid, move things around
Diffstat (limited to 'scripts/pacman-make-keyring')
-rwxr-xr-x | scripts/pacman-make-keyring | 167 |
1 files changed, 0 insertions, 167 deletions
diff --git a/scripts/pacman-make-keyring b/scripts/pacman-make-keyring deleted file mode 100755 index 702ea69..0000000 --- a/scripts/pacman-make-keyring +++ /dev/null @@ -1,167 +0,0 @@ -#!/usr/bin/make -rRf -# Usage: pacman-make-keyring V=$(date -u +%Y%m%d) - -# Copyright 2014, 2016 Luke Shumaker <lukeshu@sbcglobal.net>. -# -# This is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License as -# published by the Free Software Foundation; either version 2 of -# the License, or (at your option) any later version. -# -# This software is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this manual; if not, see -# <http://www.gnu.org/licenses/>. - -ifeq ($(origin V),undefined) -$(info Usage: pacman-make-keyring V=$$(date -u +%Y%m%d)) -$(error You must set V= on the command line) -endif - -bin := $(patsubst %/,%,$(dir $(lastword $(MAKEFILE_LIST)))) -yamldir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['yamldir']") -cachedir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['keyring_cachedir']") - -outputdir = $(cachedir)/$(KEYRING_NAME)-keyring-$(V) -KEYRING_NAME = parabola - -all: $(KEYRING_NAME)-keyring-$(V).tar.gz -.PHONY: all - -export SHELL = /bin/bash -o pipefail -.PHONY: FORCE -.SECONDARY: -.DELETE_ON_ERROR: - -dirs = \ - $(outputdir) \ - $(cachedir) \ - $(cachedir)/gpghome \ - $(cachedir)/keys/trusted \ - $(cachedir)/keys/secondary \ - $(cachedir)/keys/revoked - -$(dirs): - mkdir -p $@ - -$(cachedir)/var.%: FORCE | $(cachedir) - @$(file >$(@D)/tmp.$(@F),$($*)) - @sed -i 's|^|#|' $(@D)/tmp.$(@F) - @if cmp -s $(@D)/tmp.$(@F) $@; then \ - rm -f $(@D)/tmp.$(@F) || :; \ - else \ - mv -f $(@D)/tmp.$(@F) $@; \ - fi --include $(wildcard $(cachedir)/var.*) -$(cachedir)/txt.%: $(cachedir)/var.% - sed 's|^#||' < $< > $@ -var=$(cachedir)/var. - -keyring-files = \ - $(outputdir)/Makefile \ - $(outputdir)/${KEYRING_NAME}.gpg \ - $(outputdir)/${KEYRING_NAME}-trusted \ - $(outputdir)/${KEYRING_NAME}-revoked - -$(KEYRING_NAME)-keyring-$(V).tar.gz: %.tar.gz: $(keyring-files) - bsdtar --format=ustar -cf - -C $(cachedir) $(addprefix $*/,$(notdir $^)) | gzip -9 > $@ - -define Makefile.in -V=@V@ - -prefix = /usr/local -PREFIX = $$(prefix) - -install: - install -dm755 $$(DESTDIR)$$(PREFIX)/share/pacman/keyrings/ - install -m0644 @KEYRING_NAME@{.gpg,-trusted,-revoked} $$(DESTDIR)$$(PREFIX)/share/pacman/keyrings/ - -uninstall: - rm -f $$(DESTDIR)$$(PREFIX)/share/pacman/keyrings/@KEYRING_NAME@{.gpg,-trusted,-revoked} - rmdir -p --ignore-fail-on-non-empty $$(DESTDIR)$$(PREFIX)/share/pacman/keyrings/ - -.PHONY: install uninstall -endef - -$(outputdir)/Makefile: $(cachedir)/txt.Makefile.in $(var)V $(var)KEYRING_NAME | $(outputdir) - sed $(foreach v,$(patsubst $(var)%,%,$(filter $(var)%,$^)), -e 's|@$v@|$($v)|' ) < $< > $@ - - -users := $(sort $(shell find $(yamldir))) $(var)users - -# Assemble the list of .asc files needed to generate the keyring -$(cachedir)/deps.mk: ${users} $(var)outputdir $(var)cachedir $(var)KEYRING_NAME| $(cachedir) - { \ - echo $(outputdir)/${KEYRING_NAME}.gpg: $$($(bin)/pgp-list-keyids | sed -r 's|(\S+) .*|$$(cachedir)/keys/\1.asc|') && \ - echo $(cachedir)/stamp.ownertrust: $$($(bin)/pgp-list-keyids | sed -rn 's|^(trusted/\S+) .*|$$(cachedir)/keys/\1.asc|p') && \ - $(bin)/pgp-list-keyids | sed -rn 's|^trusted/(\S+) (.*)|keyid.\1 = \2|p' && \ - $(bin)/uid-map | sed 's|.*|trusted:&\nsecondary:&\nrevoked:&|' | sed -r 's|(.*):(.*):(.*)|$$(cachedir)/keys/\1/\3.asc: $$(yamldir)/\2.yml|' && \ - :; }> $@ --include $(cachedir)/deps.mk - -# The remainder of file is mostly just a translation of the shell -# script `update-keys`. -# -# https://git.archlinux.org/archlinux-keyring.git/tree/update-keys - -export LANG=C - -KEYSERVER = hkp://pool.sks-keyservers.net - -GPG = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir $(cachedir)/gpghome - -define gpg-init -%echo Generating Parabola Keyring keychain master key... -Key-Type: RSA -Key-Length: 1024 -Key-Usage: sign -Name-Real: Parabola Keyring Keychain Master Key -Name-Email: parabola-keyring@localhost -Expire-Date: 0 -%no-protection -%commit -%echo Done -endef -$(cachedir)/stamp.gpg-init: $(cachedir)/txt.gpg-init $(var)GPG | $(cachedir)/gpghome - ${GPG} --gen-key < $< - touch $@ - -# The appropriate ${uid}.yml file is added as a dependency to -# ${username}.yml by deps.mk -keyid=$(keyid.$(patsubst %.asc,%,$(notdir $@))) - -# In 'update-keys', this is the 'master-keyids' loop -$(outputdir)/${KEYRING_NAME}-trusted: ${users} | $(outputdir) - $(bin)/pgp-list-keyids | sed -rn 's|^trusted/\S+ (\S+)|\1:4:|p' > $@ -$(cachedir)/keys/trusted/%.asc : $(cachedir)/stamp.gpg-init | $(cachedir)/keys/trusted - ${GPG} --recv-keys ${keyid} &>/dev/null - printf 'minimize\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid} - printf 'y\ny\n' | ${GPG} --command-fd 0 --lsign-key ${keyid} &>/dev/null - ${GPG} --armor --no-emit-version --export ${keyid} > $@ - -$(cachedir)/stamp.ownertrust: $(outputdir)/${KEYRING_NAME}-trusted $(cachedir)/deps.mk - ${GPG} --import-ownertrust < $< 2>/dev/null - touch $@ - -# In 'update-keys', this is the 'packager-keyids' loop -$(cachedir)/keys/secondary/%.asc: $(cachedir)/stamp.ownertrust | $(cachedir)/keys/secondary - ${GPG} --recv-keys ${keyid} &>/dev/null - printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid} - ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:' # make sure it is trusted - ${GPG} --armor --no-emit-version --export ${keyid} > $@ - -# In 'update-keys', this is the 'packager-revoked-keyids' loop -$(outputdir)/${KEYRING_NAME}-revoked: ${users} | $(outputdir) - $(bin)/pgp-list-keyids | sed -rn 's|^revoked/\S+ ||p' > $@ -$(cachedir)/keys/revoked/%.asc : $(cachedir)/stamp.ownertrust | $(cachedir)/keys/revoked - ${GPG} --recv-keys ${keyid} &>/dev/null - printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid} - ! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:' # make sure it isn't trusted - ${GPG} --armor --no-emit-version --export ${keyid} > $@ - -$(outputdir)/${KEYRING_NAME}.gpg: $(cachedir)/deps.mk | $(outputdir) - cat $(filter %.asc,$^) > $@ |