3 files changed, 34 insertions, 22 deletions
diff --git a/bin/pacman-make-keyring b/bin/pacman-make-keyring
index 9b1109c..39f8942 100755
--- a/bin/pacman-make-keyring
+++ b/bin/pacman-make-keyring
@@ -1,7 +1,9 @@
-#!/usr/bin/make -rRf
-# Usage: pacman-make-keyring V=$(date -u +%Y%m%d)
+#!/usr/bin/env -S make -j1 -rRf
 
-# Copyright 2014, 2016 Luke Shumaker <lukeshu@sbcglobal.net>.
+# Usage: pacman-make-keyring V=$(date -u +%Y%m%d) [ keyserver=<HKP_URL> ]
+
+# Copyright 2014,2016 Luke Shumaker <lukeshu@sbcglobal.net>
+# Copyright 2021-2022 bill-auger    <bill-auger@programmer.net>
 #
 # This is free software; you can redistribute it and/or
 # modify it under the terms of the GNU General Public License as
@@ -17,24 +19,28 @@
 # License along with this manual; if not, see
 # <http://www.gnu.org/licenses/>.
 
+
+# apply config
+KEYRING_NAME = parabola
+bin         := $(patsubst %/,%,$(dir $(lastword $(MAKEFILE_LIST))))
+yamldir     := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['yamldir']")
+keyserver   := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['keyring_keyserver']")
+cachedir    := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['keyring_cachedir']")
+outputdir    = $(cachedir)/$(KEYRING_NAME)-keyring-$(V)
+
+# sanity checks
 ifeq ($(origin V),undefined)
-$(info Usage: pacman-make-keyring V=$$(date -u +%Y%m%d))
-$(error You must set V= on the command line)
+  $(info Usage: pacman-make-keyring V=$$(date -u +%Y%m%d) [ keyserver=<HKP_URL> ]) $(info)
+  $(error V= must be set in the environment, on the command line, etc)
 endif
-ifeq ($(origin keyserver),undefined)
-keyserver = hkp://pgp.cyberbits.eu:11371
+ifneq ($(findstring hkp://,${keyserver}),hkp://)
+  $(error keyserver must be a valid hkp:// URL)
 endif
-
-bin := $(patsubst %/,%,$(dir $(lastword $(MAKEFILE_LIST))))
-yamldir  := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['yamldir']")
-cachedir := $(shell ruby -e "load '$(bin)/common.rb'; print cfg['keyring_cachedir']")
-outputdir = $(cachedir)/$(KEYRING_NAME)-keyring-$(V)
 
-KEYRING_NAME = parabola
 
 all: $(KEYRING_NAME)-keyring-$(V).tar.gz
 .PHONY: all
-
+
 export SHELL = /bin/bash -o pipefail
 .PHONY: FORCE
 .SECONDARY:
@@ -63,7 +69,7 @@ $(cachedir)/var.%: FORCE | $(cachedir)
 $(cachedir)/txt.%: $(cachedir)/var.%
 	sed 's|^#||' < $< > $@
 var=$(cachedir)/var.
-
+
 keyring-files = \
 	$(outputdir)/Makefile \
 	$(outputdir)/${KEYRING_NAME}.gpg \
@@ -93,7 +99,7 @@ endef
 $(outputdir)/Makefile: $(cachedir)/txt.Makefile.in $(var)V $(var)KEYRING_NAME | $(outputdir)
 	sed $(foreach v,$(patsubst $(var)%,%,$(filter $(var)%,$^)), -e 's|@$v@|$($v)|' ) < $< > $@
 
-
+
 users := $(sort $(shell find $(yamldir))) $(var)users
 
 # Assemble the list of .asc files needed to generate the keyring
@@ -113,9 +119,11 @@ $(cachedir)/deps.mk: ${users} $(var)outputdir $(var)cachedir $(var)KEYRING_NAME|
 
 export LANG=C
 
+# NOTE: Key fetches tend to fail if fired-off too rapidly,
+#       (even 2 seconds intervals). 5 seconds intervals has not yet failed.
+FETCH_IVL = 5
 KEYSERVER = ${keyserver}
-
-GPG = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir $(cachedir)/gpghome
+GPG       = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir $(cachedir)/gpghome
 
 define gpg-init
 %echo Generating Parabola Keyring keychain master key...
@@ -141,7 +149,7 @@ keyid=$(keyid.$(patsubst %.asc,%,$(notdir $@)))
 $(outputdir)/${KEYRING_NAME}-trusted: ${users} | $(outputdir)
 	$(bin)/pgp-list-keyids | sed -rn 's|^trusted/\S+ (\S+)|\1:4:|p' > $@
 $(cachedir)/keys/trusted/%.asc  : $(cachedir)/stamp.gpg-init   | $(cachedir)/keys/trusted
-	${GPG} --recv-keys ${keyid}
+	sleep ${FETCH_IVL} && ${GPG} --recv-keys ${keyid}
 	printf 'minimize\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
 	printf 'y\ny\n' | ${GPG} --command-fd 0 --lsign-key ${keyid}
 	${GPG} --armor --no-emit-version --export ${keyid} > $@
@@ -152,7 +160,7 @@ $(cachedir)/stamp.ownertrust: $(outputdir)/${KEYRING_NAME}-trusted $(cachedir)/d
 
 # In 'update-keys', this is the 'packager-keyids' loop
 $(cachedir)/keys/secondary/%.asc: $(cachedir)/stamp.ownertrust | $(cachedir)/keys/secondary
-	${GPG} --recv-keys ${keyid}
+	sleep ${FETCH_IVL} && ${GPG} --recv-keys ${keyid}
 	printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
 	${GPG} --list-keys --with-colons ${keyid} | grep -q '^pub:f:' # make sure it is trusted
 	${GPG} --armor --no-emit-version --export ${keyid} > $@
@@ -161,7 +169,7 @@ $(cachedir)/keys/secondary/%.asc: $(cachedir)/stamp.ownertrust | $(cachedir)/key
 $(outputdir)/${KEYRING_NAME}-revoked: ${users} | $(outputdir)
 	$(bin)/pgp-list-keyids | sed -rn 's|^revoked/\S+ ||p' > $@
 $(cachedir)/keys/revoked/%.asc  : $(cachedir)/stamp.ownertrust | $(cachedir)/keys/revoked
-	${GPG} --recv-keys ${keyid}
+	sleep ${FETCH_IVL} && ${GPG} --recv-keys ${keyid}
 	printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
 	! ${GPG} --list-keys --with-colons ${keyid} | grep -q '^pub:f:' # make sure it isn't trusted
 	${GPG} --armor --no-emit-version --export ${keyid} > $@
diff --git a/config.mk b/config.mk
index 0eb23e3..28da205 100644
--- a/config.mk
+++ b/config.mk
@@ -3,7 +3,7 @@ topoutdir := $(patsubst %/,%,$(dir $(lastword $(MAKEFILE_LIST))))
 topsrcdir := $(topoutdir)
 
 PACKAGE = parabola-hackers
-VERSION = 20200201
+VERSION = 20220802
 
 sysusersdir = $(prefix)/lib/sysusers.d
 systemunitdir = $(prefix)/lib/systemd/system
diff --git a/parabola-hackers.yml b/parabola-hackers.yml
index b993e6c..4fab8d2 100644
--- a/parabola-hackers.yml
+++ b/parabola-hackers.yml
@@ -48,3 +48,7 @@ pam_password_prohibit_message: ''
 # Where to keep files that can be cached between versions when making
 # the pacman keyring.
 keyring_cachedir: "/var/cache/parabola-hackers"
+
+# KeyServer which is known to be in a distributed network,
+# on which Parabola Hackers keys are accessible.
+keyring_keyserver: 'hkp://pgp.cyberbits.eu:11371'