blob: d1858f4e8d54a6fcc9cfe99470f5fc0b0186eaeb (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
export LANG=C
export SHELL=/bin/bash
KEYSERVER = hkp://pool.sks-keyservers.net
GPG = gpg --quiet --batch --no-tty --no-permission-warning --keyserver ${KEYSERVER} --homedir output/cache/pacman-keyring/gpghome
MKDIRS = mkdir -p
FAIL = exit 1
keyring_name = parabola
all: PHONY pacman-keyring
clean: PHONY
rm -rf output/cache
####
pacman-keyring: PHONY \
output/pacman-keyring/${keyring_name}.gpg \
output/pacman-keyring/${keyring_name}-trusted \
output/pacman-keyring/${keyring_name}-revoked
# Assemble the list of .asc files needed to generate the keyring
output/cache/pacman-keyring/deps.mk: hackers.yml bin/list-pgp-keyids
$(MKDIRS) ${@D}
{ \
echo output/pacman-keyring/${keyring_name}.gpg: $$(bin/list-pgp-keyids | sed -r 's|(\S+) .*|output/cache/pacman-keyring/keys/\1.asc|') && \
echo output/cache/pacman-keyring/stamp.ownertrust: $$(bin/list-pgp-keyids | sed -rn 's|^(trusted/\S+) .*|output/cache/pacman-keyring/keys/\1.asc|p') && \
:; }> $@
-include output/cache/pacman-keyring/deps.mk
output/cache/pacman-keyring/stamp.gpg-init: gpg-init.txt
${MKDIRS} ${@D} output/cache/pacman-keyring/gpghome
${GPG} --gen-key < $<
touch $@
output/cache/pacman-keyring/stamp.ownertrust: output/pacman-keyring/${keyring_name}-trusted output/cache/pacman-keyring/deps.mk
${MKDIRS} ${@D}
${GPG} --import-ownertrust < $< 2>/dev/null
touch $@
output/pacman-keyring/${keyring_name}.gpg: output/cache/pacman-keyring/deps.mk
$(MKDIRS) ${@D}
cat $(filter %.asc,$^) > $@
output/pacman-keyring/${keyring_name}-trusted: hackers.yml bin/list-pgp-keyids
$(MKDIRS) ${@D}
bin/list-pgp-keyids | sed -rn 's|^trusted/\S+ (\S+)|\1:4:|p' > $@
output/pacman-keyring/${keyring_name}-revoked: hackers.yml bin/list-pgp-keyids
$(MKDIRS) ${@D}
bin/list-pgp-keyids | sed -rn 's|^revoked/\S+ ||p' > $@
# These 3 rules are mostly straight from "archlinux-keyring.git/update-keys"
keyid=$$(bin/get-pgp-keyid $*)
output/cache/pacman-keyring/keys/trusted/%.asc: hackers.yml bin/get-pgp-keyid output/cache/pacman-keyring/stamp.gpg-init
${MKDIRS} ${@D}
${GPG} --recv-keys ${keyid} &>/dev/null
printf 'minimize\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
#${GPG} --yes --lsign-key ${keyid} &>/dev/null
printf 'y\ny\n' | ${GPG} --command-fd 0 --lsign-key ${keyid} &>/dev/null
${GPG} --armor --no-emit-version --export ${keyid} > $@
output/cache/pacman-keyring/keys/secondary/%.asc: hackers.yml bin/get-pgp-keyid output/cache/pacman-keyring/stamp.ownertrust
${MKDIRS} ${@D}
${GPG} --recv-keys ${keyid} &>/dev/null
printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:' # make sure it is trusted
${GPG} --armor --no-emit-version --export ${keyid} > $@
output/cache/pacman-keyring/keys/revoked/%.asc: hackers.yml bin/get-pgp-keyid output/cache/pacman-keyring/stamp.ownertrust
${MKDIRS} ${@D}
${GPG} --recv-keys ${keyid} &>/dev/null
printf 'clean\nquit\ny\n' | ${GPG} --command-fd 0 --edit-key ${keyid}
! ${GPG} --list-keys --with-colons ${keyid} 2>/dev/null | grep -q '^pub:f:' # make sure it's not trusted
${GPG} --armor --no-emit-version --export ${keyid} > $@
####
.PHONY: PHONY
.SECONDARY:
.DELETE_ON_ERROR:
|
