diff --git a/scripts/pkgmeek b/scripts/pkgmeek index 35feecc..2caf4cc 100755 --- a/scripts/pkgmeek +++ b/scripts/pkgmeek @@ -13,7 +13,7 @@ local errDL=0; local errUZ=0; local BSDTAR="/usr/bin/bsdtar --format=gnutar" parse_options "$@" # Exit early if refreshing an existing sha256 manifest was requested -[ "$PKGMK_REFRESH_SIG" = "yes" ] && { make_signature refresh ; exit $?; } +[ "$PKGMK_REFRESH_SIG" = "yes" ] && { make_signature refresh && info "signature refreshed."; exit $?; } # # Read the Pkgfile to determine what to do next. But first ensure that # it came from a trusted source (FS#1851) @@ -109,7 +109,7 @@ if [ "$PKGMK_UPDATE_FOOTPRINT" = "yes" ]; then fi # Updating signatures (option -us) requires only sources and footprint, not a built package. # As with -uf, exit after fulfilling the explicit request for a manifest. -[ "$PKGMK_UPDATE_SIG" = "yes" ] && { make_signature new; cleanup_work; exit $?; } +[ "$PKGMK_UPDATE_SIG" = "yes" ] && { make_signature new && info "signature created."; cleanup_work; exit $?; } # All the sources should be here by now, let's verify that we can trust them. readonly cs_fail_msg="Use '--ignore-signature' to override, if you have determined integrity by other means." @@ -456,7 +456,7 @@ check_signature() { # called from $PKGMK_ROOT in the case "when"="pre-Pkgfile", local reqfiles=(Pkgfile); local s=0; local when="$1"; local SIGNIFY_ARGS=(-C -x "$PKGMK_ROOT/.signature") - [ "$PKGMK_PUBLICKEY" ] || PKGMK_PUBLICKEY=$(get_repo_key public) + [ -n "$PKGMK_PUBLICKEY" ] || PKGMK_PUBLICKEY="$(get_repo_key public)" if [ -f "$PKGMK_ROOT/.signature" ]; then [ "$when" = "pre-Pkgfile" ] || reqfiles=(.footprint) while [ "$when" = "pre-build" ] && (( s < ${#_local_[@]} )); do @@ -466,7 +466,7 @@ check_signature() { # called from $PKGMK_ROOT in the case "when"="pre-Pkgfile", for FILE in "${reqfiles[@]}"; do [ -e "$FILE" ] || ln -sf "$PKGMK_ROOT/$FILE" . done - [ -f "$PKGMK_PUBLICKEY" ] && SIGNIFY_ARGS+=(-p "$PKGMK_PUBLICKEY") + [ -r "$PKGMK_PUBLICKEY" ] && SIGNIFY_ARGS+=(-p "$PKGMK_PUBLICKEY") /usr/bin/signify "${SIGNIFY_ARGS[@]}" "${reqfiles[@]}" 2>&1 else [ "$when" = "pre-Pkgfile" ] && echo "Pkgfile verification failed" @@ -475,23 +475,23 @@ check_signature() { # called from $PKGMK_ROOT in the case "when"="pre-Pkgfile", } get_repo_key() { - local typ="${1:0:3}" - for key in "/etc/ports/*.$typ" "$HOME/.ssh/*.$typ"; do - [ -e "$key" ] || continue - REPO="$(dirname "$PWD")"; REPO="$(basename -s .git "$REPO")"; - [ "$REPO" = "$(basename -s ".$typ" "$key")" ] && { echo "$key"; break; } - done + local typ="${1:0:3}"; local REPO; + REPO=$(dirname "$PKGMK_ROOT"); REPO=$(basename -s .git "$REPO"); + ls "/etc/ports/$REPO.$typ" 2>/dev/null \ + || ls "$HOME/.ssh/$REPO.$typ" 2>/dev/null } make_signature() { local ordered si pub [ -w "$PKGMK_ROOT/.signature" ] || { error ".signature not writable."; return $E_DIRPERM; } - [ "$PKGMK_PRIVATEKEY" ] || PKGMK_PRIVATEKEY="$(get_repo_key secret)" - [ -r "$PKGMK_PRIVATEKEY" ] && \ - pub="/etc/ports/$(basename -s ".sec" "$PKGMK_PRIVATEKEY").pub" || \ - { error "No suitable secret key found. Specify one explicitly with '-sk'."; - return $E_SIGNATURE; } + [ -n "$PKGMK_PRIVATEKEY" ] || PKGMK_PRIVATEKEY="$(get_repo_key secret)" + if [ -n "$PKGMK_PRIVATEKEY" ]; then + pub="/etc/ports/$(basename -s .sec "$PKGMK_PRIVATEKEY").pub" + else + error "No suitable secret key found. Specify one explicitly with '-sk'." + return $E_SIGNATURE + fi # create a new .signature, or refresh an existing manifest? case "$1" in @@ -516,7 +516,7 @@ make_signature() { { error "missing .signature, cannot refresh."; return $E_SIGNATURE; } if tail -n +3 ".signature" | /usr/bin/signify -S -e -x - -q \ -s "$PKGMK_PRIVATEKEY" -m - > .signature.tmp; then - mv .signature.tmp .signature; info "Signature refreshed." + mv .signature.tmp .signature else rm .signature.tmp; return $E_SIGNATURE fi