pkgmeek: tidy up the get_repo_key routine

This commit is contained in:
John McQuah 2023-02-24 08:56:27 -05:00
parent 0ddcfa250e
commit d3b4219e80

View File

@ -13,7 +13,7 @@ local errDL=0; local errUZ=0; local BSDTAR="/usr/bin/bsdtar --format=gnutar"
parse_options "$@"
# Exit early if refreshing an existing sha256 manifest was requested
[ "$PKGMK_REFRESH_SIG" = "yes" ] && { make_signature refresh ; exit $?; }
[ "$PKGMK_REFRESH_SIG" = "yes" ] && { make_signature refresh && info "signature refreshed."; exit $?; }
#
# Read the Pkgfile to determine what to do next. But first ensure that
# it came from a trusted source (FS#1851)
@ -109,7 +109,7 @@ if [ "$PKGMK_UPDATE_FOOTPRINT" = "yes" ]; then
fi
# Updating signatures (option -us) requires only sources and footprint, not a built package.
# As with -uf, exit after fulfilling the explicit request for a manifest.
[ "$PKGMK_UPDATE_SIG" = "yes" ] && { make_signature new; cleanup_work; exit $?; }
[ "$PKGMK_UPDATE_SIG" = "yes" ] && { make_signature new && info "signature created."; cleanup_work; exit $?; }
# All the sources should be here by now, let's verify that we can trust them.
readonly cs_fail_msg="Use '--ignore-signature' to override, if you have determined integrity by other means."
@ -456,7 +456,7 @@ check_signature() { # called from $PKGMK_ROOT in the case "when"="pre-Pkgfile",
local reqfiles=(Pkgfile); local s=0; local when="$1";
local SIGNIFY_ARGS=(-C -x "$PKGMK_ROOT/.signature")
[ "$PKGMK_PUBLICKEY" ] || PKGMK_PUBLICKEY=$(get_repo_key public)
[ -n "$PKGMK_PUBLICKEY" ] || PKGMK_PUBLICKEY="$(get_repo_key public)"
if [ -f "$PKGMK_ROOT/.signature" ]; then
[ "$when" = "pre-Pkgfile" ] || reqfiles=(.footprint)
while [ "$when" = "pre-build" ] && (( s < ${#_local_[@]} )); do
@ -466,7 +466,7 @@ check_signature() { # called from $PKGMK_ROOT in the case "when"="pre-Pkgfile",
for FILE in "${reqfiles[@]}"; do
[ -e "$FILE" ] || ln -sf "$PKGMK_ROOT/$FILE" .
done
[ -f "$PKGMK_PUBLICKEY" ] && SIGNIFY_ARGS+=(-p "$PKGMK_PUBLICKEY")
[ -r "$PKGMK_PUBLICKEY" ] && SIGNIFY_ARGS+=(-p "$PKGMK_PUBLICKEY")
/usr/bin/signify "${SIGNIFY_ARGS[@]}" "${reqfiles[@]}" 2>&1
else
[ "$when" = "pre-Pkgfile" ] && echo "Pkgfile verification failed"
@ -475,23 +475,23 @@ check_signature() { # called from $PKGMK_ROOT in the case "when"="pre-Pkgfile",
}
get_repo_key() {
local typ="${1:0:3}"
for key in "/etc/ports/*.$typ" "$HOME/.ssh/*.$typ"; do
[ -e "$key" ] || continue
REPO="$(dirname "$PWD")"; REPO="$(basename -s .git "$REPO")";
[ "$REPO" = "$(basename -s ".$typ" "$key")" ] && { echo "$key"; break; }
done
local typ="${1:0:3}"; local REPO;
REPO=$(dirname "$PKGMK_ROOT"); REPO=$(basename -s .git "$REPO");
ls "/etc/ports/$REPO.$typ" 2>/dev/null \
|| ls "$HOME/.ssh/$REPO.$typ" 2>/dev/null
}
make_signature() {
local ordered si pub
[ -w "$PKGMK_ROOT/.signature" ] || { error ".signature not writable."; return $E_DIRPERM; }
[ "$PKGMK_PRIVATEKEY" ] || PKGMK_PRIVATEKEY="$(get_repo_key secret)"
[ -r "$PKGMK_PRIVATEKEY" ] && \
pub="/etc/ports/$(basename -s ".sec" "$PKGMK_PRIVATEKEY").pub" || \
{ error "No suitable secret key found. Specify one explicitly with '-sk'.";
return $E_SIGNATURE; }
[ -n "$PKGMK_PRIVATEKEY" ] || PKGMK_PRIVATEKEY="$(get_repo_key secret)"
if [ -n "$PKGMK_PRIVATEKEY" ]; then
pub="/etc/ports/$(basename -s .sec "$PKGMK_PRIVATEKEY").pub"
else
error "No suitable secret key found. Specify one explicitly with '-sk'."
return $E_SIGNATURE
fi
# create a new .signature, or refresh an existing manifest?
case "$1" in
@ -516,7 +516,7 @@ make_signature() {
{ error "missing .signature, cannot refresh."; return $E_SIGNATURE; }
if tail -n +3 ".signature" | /usr/bin/signify -S -e -x - -q \
-s "$PKGMK_PRIVATEKEY" -m - > .signature.tmp; then
mv .signature.tmp .signature; info "Signature refreshed."
mv .signature.tmp .signature
else
rm .signature.tmp; return $E_SIGNATURE
fi