clean-chroot-manager icon indicating copy to clipboard operation
clean-chroot-manager copied to clipboard

Published 20 hours ago verified publisher icon graysky2

a new option to pass --sign to makepkg

Open Bronek opened this issue 9 years ago • 4 comments

Rather than sign after the build, it would be nice to have an option to pass --sign to makepkg. Perhaps something along the lines:

$ tail -2 ~/.config/clean-chroot-manager.conf
# Options passed to makepkg
MAKEPKGFLAGS="--sign"

$ diff -u clean-chroot-manager64
@@ -167,9 +167,9 @@
        echo -e "${YELLOW}---->${ALL_OFF}${BOLD} ${mesg}${ALL_OFF}"

        if [[ -z "$RUNNAMCAP" ]]; then
-               makechrootpkg -c -u -r $CHROOTPATH64
+               makechrootpkg -c -u -r $CHROOTPATH64  -- $MAKEPKGFLAGS
         else
-               makechrootpkg -c -u -n -r $CHROOTPATH64
+               makechrootpkg -c -u -n -r $CHROOTPATH64 -- $MAKEPKGFLAGS
        fi

    # stop here if build fails
@@ -182,9 +182,9 @@
        echo -e "${YELLOW}---->${ALL_OFF}${BOLD} ${mesg}${ALL_OFF}"

        if [[ -z "$RUNNAMCAP" ]]; then
-               makechrootpkg -u -r $CHROOTPATH64
+               makechrootpkg -u -r $CHROOTPATH64 -- $MAKEPKGFLAGS
        else
-               makechrootpkg -u -n -r $CHROOTPATH64
+               makechrootpkg -u -n -r $CHROOTPATH64 -- $MAKEPKGFLAGS
        fi

Bronek avatar Mar 08 '15 22:03 Bronek

I desperately need this. I'm a bit surprised that it has been almost 4 years...

xuanruiqi avatar Jul 07 '19 05:07 xuanruiqi

Is there any intention of supporting this functionality?

mwgamble avatar Mar 23 '21 22:03 mwgamble

I don't think passing -- --sign is going to work since the keys would need to be in the buildroot. I think signing would need to be handled as a post-process step by ccm not by any of the devtool scripts.

graysky2 avatar Mar 24 '21 17:03 graysky2

How it's about using https://git.archlinux.org/pacman.git/tree/scripts/libmakepkg/integrity/generate_signature.sh.in as base. Then adding a new configuration variable like "DOSIGN" and a function like this

sign() {
  local mesg="Signing package..."
  
  # Assuming that GPGKEY key is set in /etc/makepkg.conf
  . /etc/makepkg.conf

  # Following code taken from https://git.archlinux.org/pacman.git/tree/scripts/libmakepkg/integrity/generate_signature.sh.in
  local ret=0
	local filename="$1"

	local SIGNWITHKEY=()
	if [[ -n $GPGKEY ]]; then
		SIGNWITHKEY=(-u "${GPGKEY}")
	fi

	gpg --detach-sign --use-agent "${SIGNWITHKEY[@]}" --no-armor "$filename" &>/dev/null || ret=$?

	if (( ! ret )); then
		msg2 "$(gettext "Created signature file %s.")" "${filename##*/}.sig"
	else
		warning "$(gettext "Failed to sign package file %s.")" "${filename##*/}"
	fi

	return $ret
}

which is called after build().

regards Kai

ghost avatar Apr 07 '21 08:04 ghost