[parabola-keyring]: upgrade to v20230704

2 files changed, 66 insertions, 83 deletions

diff --git a/libre/parabola-keyring/PKGBUILD b/libre/parabola-keyring/PKGBUILD
index 086fb5ca9..0a867259a 100644
--- a/libre/parabola-keyring/PKGBUILD
+++ b/libre/parabola-keyring/PKGBUILD
@@ -2,71 +2,89 @@
 # Maintainer: Parabola Hackers <dev@lists.parabola.nu>
 
 
-# NOTE: This PKGBUILD does not need to be edited manually.
-#       The package is normally built automatically by autobuilder.
-#       To generate a new keyring, simply push a new commit to hackers.git.
-#         eg: $ git commit --allow-empty --message=rebuild
-#             $ git push parabola master
-#       The autobuilder will modify this PKGBUILD,
-#       replacing $pkgver and $_gitver,
-#       build and publish the package,
-#       and commit the modified PKGBUILD to abslibre.
+# NOTE: This PKGBUILD does not need to be edited manuall.
+#       You do not need to build it, nor librerelease it.
+#       The package is built automatically by autobuilder,
+#       upon a git push to the 'master' branch of hackers.git.
+#       The autobuilder will modify this PKGBUILD, replacing $pkgver and $_gitrev,
+#       build and publish the package, and commit the modified PKGBUILD to abslibre.
+#       To generate a new keyring:
+#         $ KEY_ID=<YOUR_40_CHAR_KEY_ID> # 'pgp_keyid' in your hackers.git YAML file
+#         $ cd /path/to/hackers.git/
+#         $ gpg --armor --no-emit-version --export $KEY_ID > keys/$KEY_ID.asc
+#         $ git commit -m 'update my key' keys/$KEY_ID.asc
+#         $ git push parabola master
 
 
 pkgname=parabola-keyring
-pkgver=20230331
-_gitver=d81cb92a9b111bf2207036578487b09ea965d562
+pkgver=20230704
+_gitrev=9f016cda0a6ac0a988584461850dc16a2b646465
 pkgrel=1
 pkgdesc="Parabola GNU/Linux-libre PGP keyring"
 arch=(any)
 url=https://wiki.parabola.nu/Parabola_Keyring
-license=(GPL)
+license=(CCPL:zero)
 
 makedepends=(git parabola-hackers)
-makedepends=( ${makedepends[*]/parabola-hackers/parabola-hackers>=20220802-1} ) # in libre-testing
-install=$pkgname.install
-source=(hackers-${_gitver}::git://git.parabola.nu/hackers.git#commit=${_gitver})
+install=${pkgname}.install
+source=(hackers-${_gitrev}-git::git://git.parabola.nu/hackers.git#commit=${_gitrev})
 
-sha512sums=('SKIP')
+sha512sums=(SKIP)
 
 
-prepare()
-{
-  # network check
-  # NOTE: this is the only parabola PKGBUILD, which requires internet access in the build chroot
-  #       the pacman-make-keyring procedure was originally in a mksource() function,
-  #       presumably for that reason; but that o/c removed the requirement only from users
-  # TODO: it would be great to re-implement this, so that it does not
-  #       there is a WIP on the parabola-hackers.git 'wip-import-keys-from-hackers-git' branch
-  local net_check_url=https://repo.parabola.nu/check_network_status.txt
-  local net_err_msg="ERROR: this PKGBUILD requires internet access in the build chroot"
-  curl ${net_check_url} &> /dev/null || ! echo "${net_err_msg}" || return 1
-}
-
 build()
 {
-  mv {,.}hackers-${_gitver}
-  mkdir .cachedir
-  export PARABOLA_HACKERS_YAMLDIR="${PWD}"/.hackers-${_gitver}/users
-
-  # NOTE: the current 'parabola-hackers' package does not yet recognize
-  #       the 'keyserver' env-var - the keyserver is still hard-coded;
-  #       and it is now invalid - 'parabola-hackers' must be rebuilt for this;
-  #       but that build currently has a problem - the autobuilder handles
-  #       this now, via an un-published kludge in the autobuild.sh script
-  # TODO: remove this note and the version constraint,
-  #       after 'parabola-hackers' has been rebuilt
-  # NOTE: the rebuilt 'parabola-hackers' is now in [libre-testing]
-  /usr/lib/parabola-hackers/pacman-make-keyring \
-    V=${pkgver}                                 \
-    keyserver=hkp://pgp.cyberbits.eu:11371      \
-    cachedir="${PWD}/.cachedir"
+  collect_keyids() # (sed_rx)
+  {
+    export PARABOLA_HACKERS_YAMLDIR="${srcdir}"/hackers-${_gitrev}-git/users
+    /usr/lib/parabola-hackers/pgp-list-keyids | sed --quiet --regexp-extended "$1"
+  }
+
+
+  # prep
+  rm -rf build/ ; mkdir -p build/ ; touch build/parabola{.gpg,-{revoked,trusted}} ;
+  cd "${srcdir}"/build
+
+  # collect key IDs
+  collect_keyids 's|^revoked/\S+ ||p'           >> parabola-revoked # lines like: <KEY_ID>
+  collect_keyids 's|^trusted/\S+ (\S+)|\1:4:|p' >> parabola-trusted # lines like: <KEY_ID>:4:
+
+  # populate keyring file
+  local keys_dir="${srcdir}"/hackers-${_gitrev}-git/keys
+  local key_begin='-----BEGIN PGP PUBLIC KEY BLOCK-----'
+  local key_end='-----END PGP PUBLIC KEY BLOCK-----'
+  local key_id
+  local key_file
+  for key_id in $(cut -d: -f1 parabola-trusted)
+  do  key_file="${keys_dir}"/${key_id}.asc
+
+      if   [[ -f "${key_file}" ]]
+      then if   (( $(grep --count -- "${key_begin}" "${key_file}") == 1 &&
+                   $(grep --count -- "${key_end}"   "${key_file}") == 1 ))
+           then echo "certifying trusted key_id: ${key_id}"
+                cat "${key_file}" >> parabola.gpg # concatenated ASCII keys
+           else echo "invalid key_file: ${key_id}.asc"
+           fi
+      else echo "key_file missing for trusted key_id: ${key_id}"
+      fi
+  done
+
+  # verify collected keys
+  local n_trusted_keys=$(  grep --count    ':'          parabola-trusted)
+  local n_certified_keys=$(grep --count -- "${key_end}" parabola.gpg    )
+  if   (( n_certified_keys ))
+  then echo "certified (${n_certified_keys}/${n_trusted_keys}) keys"
+  elif (( n_trusted_keys ))
+  then echo "ERROR: no keys were certifed" ; return 1 ;
+  else echo "ERROR: no trusted keys found" ; return 1 ;
+  fi
 }
 
 package()
 {
-  bsdtar xf ${pkgname}-${pkgver}.tar.gz
-  cd ${pkgname}-${pkgver}
+  cd "${srcdir}"/build
 
-  make PREFIX=/usr DESTDIR="${pkgdir}" install
+  install -Dm644 parabola-revoked "${pkgdir}"/usr/share/pacman/keyrings/parabola-revoked
+  install -Dm644 parabola-trusted "${pkgdir}"/usr/share/pacman/keyrings/parabola-trusted
+  install -Dm644 parabola.gpg     "${pkgdir}"/usr/share/pacman/keyrings/parabola.gpg
 }
diff --git a/libre/parabola-keyring/PKGBUILD.backup b/libre/parabola-keyring/PKGBUILD.backup
deleted file mode 100644
index 996f35d52..000000000
--- a/libre/parabola-keyring/PKGBUILD.backup
+++ /dev/null
@@ -1,35 +0,0 @@
-# Maintainer: Parabola automatic package builder <autobuilder@parabola.nu>
-
-pkgname=parabola-keyring
-pkgver=20191127
-_gitver=89066299c593bd574bda1c97f2a5c9be3bb833cf
-pkgrel=1
-pkgdesc='Parabola GNU/Linux-libre PGP keyring'
-arch=('any')
-url='https://git.parabola.nu/hackers.git/'
-license=('GPL')
-install=$pkgname.install
-source=(https://repo.parabola.nu/other/$pkgname/$pkgname-$pkgver.tar.gz{,.sig})
-sha512sums=('7955ba2afc61f2918025816494859faf2ed27ebdc609d492aae23f3b51744b29a2e4056823f1d4d6ae04837793a3cf24c431f0025b5ca719aa6b7ee64d4638ad'
-            'SKIP')
-validpgpkeys=('D3EAD7F9D076EB9AF650149DA170D6A0B669E21A') # Parabola automatic package builder <dev@lists.parabolagnulinux.org>
-
-mkdepends=('parabola-hackers')
-mksource=("hackers-${_gitver}::git://git.parabola.nu/hackers.git#commit=${_gitver}")
-mkmd5sums=('SKIP')
-
-mksource() {
-	cd "$srcdir"
-	mv {,.}hackers-$_gitver
-	mkdir .cachedir
-	/usr/lib/parabola-hackers/pacman-make-keyring \
-		V="$pkgver" \
-		PARABOLA_HACKERS_YAMLDIR="$PWD/.hackers-$_gitver/users" \
-		cachedir="$PWD/.cachedir"
-	bsdtar xf "$pkgname-$pkgver.tar.gz"
-}
-
-package() {
-	cd "$srcdir/$pkgname-$pkgver"
-	make PREFIX=/usr DESTDIR="${pkgdir}" install
-}