diff options
-rwxr-xr-x | bin/pacman-make-keyring | 50 | ||||
-rw-r--r-- | config.mk | 2 | ||||
-rw-r--r-- | parabola-hackers.yml | 4 |
3 files changed, 34 insertions, 22 deletions
diff --git a/bin/pacman-make-keyring b/bin/pacman-make-keyring index 9b1109c..39f8942 100755 --- a/bin/pacman-make-keyring +++ b/bin/pacman-make-keyring @@ -1,7 +1,9 @@ -#!/usr/bin/make -rRf -# Usage: pacman-make-keyring V=$(date -u +%Y%m%d) +#!/usr/bin/env -S make -j1 -rRf -# Copyright 2014, 2016 Luke Shumaker <lukeshu@sbcglobal.net>. +# Usage: pacman-make-keyring V=$(date -u +%Y%m%d) [ keyserver=<HKP_URL> ] + +# Copyright 2014,2016 Luke Shumaker <lukeshu@sbcglobal.net> +# Copyright 2021-2022 bill-auger <bill-auger@programmer.net> # # This is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License as @@ -17,24 +19,28 @@ # License along with this manual; if not, see # <http://www.gnu.org/licenses/>. + +# apply config +KEYRING_NAME = parabola +bin := $(patsubst %/,%,$(dir $(lastword $(MAKEFILE_LIST)))) +yamldir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['yamldir']") +keyserver := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['keyring_keyserver']") +cachedir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['keyring_cachedir']") +outputdir = $(cachedir)/$(KEYRING_NAME)-keyring-$(V) + +# sanity checks ifeq ($(origin V),undefined) -$(info Usage: pacman-make-keyring V=$$(date -u +%Y%m%d)) -$(error You must set V= on the command line) + $(info Usage: pacman-make-keyring V=$$(date -u +%Y%m%d) [ keyserver=<HKP_URL> ]) $(info) + $(error V= must be set in the environment, on the command line, etc) endif -ifeq ($(origin keyserver),undefined) -keyserver = hkp://pgp.cyberbits.eu:11371 +ifneq ($(findstring hkp://,${keyserver}),hkp://) + $(error keyserver must be a valid hkp:// URL) endif - -bin := $(patsubst %/,%,$(dir $(lastword $(MAKEFILE_LIST)))) -yamldir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['yamldir']") -cachedir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['keyring_cachedir']") -outputdir = $(cachedir)/$(KEYRING_NAME)-keyring-$(V) -KEYRING_NAME = parabola all: $(KEYRING_NAME)-keyring-$(V).tar.gz .PHONY: all - + export SHELL = /bin/bash -o pipefail .PHONY: FORCE .SECONDARY: @@ -63,7 +69,7 @@ $(cachedir)/var.%: FORCE | $(cachedir) $(cachedir)/txt.%: $(cachedir)/var.% sed 's|^#||' < $< > $@ var=$(cachedir)/var. - + keyring-files = \ $(outputdir)/Makefile \ $(outputdir)/${KEYRING_NAME}.gpg \ @@ -93,7 +99,7 @@ endef $(outputdir)/Makefile: $(cachedir)/txt.Makefile.in $(var)V $(var)KEYRING_NAME | $(outputdir) sed $(foreach v,$(patsubst $(var)%,%,$(filter $(var)%,$^)), -e 's|@$v@|$($v)|' ) < $< > $@ - + users := $(sort $(shell find $(yamldir))) $(var)users # Assemble the list of .asc files needed to generate the keyring @@ -113,9 +119,11 @@ $(cachedir)/deps.mk: ${users} $(var)outputdir $(var)cachedir $(var)KEYRING_NAME| export LANG=C +# NOTE: Key fetches tend to fail if fired-off too rapidly, +# (even 2 seconds intervals). 5 seconds intervals has not yet failed. +FETCH_IVL = 5 KEYSERVER = ${keyserver} - -GPG = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir $(cachedir)/gpghome +GPG = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir $(cachedir)/gpghome define gpg-init %echo Generating Parabola Keyring keychain master key... @@ -141,7 +149,7 @@ keyid=$(keyid.$(patsubst %.asc,%,$(notdir $@))) $(outputdir)/${KEYRING_NAME}-trusted: ${users} | $(outputdir) $(bin)/pgp-list-keyids | sed -rn 's|^trusted/\S+ (\S+)|\1:4:|p' > $@ $(cachedir)/keys/trusted/%.asc : $(cachedir)/stamp.gpg-init | $(cachedir)/keys/trusted - ${GPG} --recv-keys ${keyid} + sleep ${FETCH_IVL} && ${GPG} --recv-keys ${keyid} printf 'minimize\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid} printf 'y\ny\n' | ${GPG} --command-fd 0 --lsign-key ${keyid} ${GPG} --armor --no-emit-version --export ${keyid} > $@ @@ -152,7 +160,7 @@ $(cachedir)/stamp.ownertrust: $(outputdir)/${KEYRING_NAME}-trusted $(cachedir)/d # In 'update-keys', this is the 'packager-keyids' loop $(cachedir)/keys/secondary/%.asc: $(cachedir)/stamp.ownertrust | $(cachedir)/keys/secondary - ${GPG} --recv-keys ${keyid} + sleep ${FETCH_IVL} && ${GPG} --recv-keys ${keyid} printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid} ${GPG} --list-keys --with-colons ${keyid} | grep -q '^pub:f:' # make sure it is trusted ${GPG} --armor --no-emit-version --export ${keyid} > $@ @@ -161,7 +169,7 @@ $(cachedir)/keys/secondary/%.asc: $(cachedir)/stamp.ownertrust | $(cachedir)/key $(outputdir)/${KEYRING_NAME}-revoked: ${users} | $(outputdir) $(bin)/pgp-list-keyids | sed -rn 's|^revoked/\S+ ||p' > $@ $(cachedir)/keys/revoked/%.asc : $(cachedir)/stamp.ownertrust | $(cachedir)/keys/revoked - ${GPG} --recv-keys ${keyid} + sleep ${FETCH_IVL} && ${GPG} --recv-keys ${keyid} printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid} ! ${GPG} --list-keys --with-colons ${keyid} | grep -q '^pub:f:' # make sure it isn't trusted ${GPG} --armor --no-emit-version --export ${keyid} > $@ @@ -3,7 +3,7 @@ topoutdir := $(patsubst %/,%,$(dir $(lastword $(MAKEFILE_LIST)))) topsrcdir := $(topoutdir) PACKAGE = parabola-hackers -VERSION = 20200201 +VERSION = 20220802 sysusersdir = $(prefix)/lib/sysusers.d systemunitdir = $(prefix)/lib/systemd/system diff --git a/parabola-hackers.yml b/parabola-hackers.yml index b993e6c..4fab8d2 100644 --- a/parabola-hackers.yml +++ b/parabola-hackers.yml @@ -48,3 +48,7 @@ pam_password_prohibit_message: '' # Where to keep files that can be cached between versions when making # the pacman keyring. keyring_cachedir: "/var/cache/parabola-hackers" + +# KeyServer which is known to be in a distributed network, +# on which Parabola Hackers keys are accessible. +keyring_keyserver: 'hkp://pgp.cyberbits.eu:11371' |