guix-commits
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

03/03: guix-install.sh: Add support for more than one signing key.

From: guix-commits
Subject: 03/03: guix-install.sh: Add support for more than one signing key.
Date: Sat, 1 May 2021 01:31:18 -0400 (EDT) 
apteryx pushed a commit to branch master
in repository guix.

commit e64af2060e8cfa48e74b887281acb3fd4c7e7781
Author: Maxim Cournoyer <maxim.cournoyer@gmail.com>
AuthorDate: Sat May 1 00:27:14 2021 -0400

    guix-install.sh: Add support for more than one signing key.
    
    The forthcoming 1.3.0 release will be signed with my personal GnuPG key; the
    installation script needs to tell users how to fetch it.
    
    * etc/guix-install.sh (OPENPGP_SIGNING_KEY_ID): Remove variable.
    (GPG_SIGNING_KEYS): New associative array.
    (chk_gpg_keyring): Process all the keys contained in the above array.
    (main) <GUIX_BINARY_FILE_NAME>: Double quote variable.
---
 etc/guix-install.sh | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/etc/guix-install.sh b/etc/guix-install.sh
index fb221ab..06a3edd 100755
--- a/etc/guix-install.sh
+++ b/etc/guix-install.sh
@@ -64,7 +64,12 @@ INF="[ INFO ] "
 DEBUG=0
 GNU_URL="https://ftp.gnu.org/gnu/guix/";
 #GNU_URL="https://alpha.gnu.org/gnu/guix/";
-OPENPGP_SIGNING_KEY_ID="3CE464558A84FDC69DB40CFB090B11993D9AEBB5"
+
+# The following associative array holds set of GPG keys used to sign the
+# releases, keyed by their corresponding Savannah user ID.
+declare -A GPG_SIGNING_KEYS
+GPG_SIGNING_KEYS[15145]=3CE464558A84FDC69DB40CFB090B11993D9AEBB5  # ludo
+GPG_SIGNING_KEYS[127547]=27D586A4F8900854329FF09F1260E46482E63562 # maxim
 
 # This script needs to know where root's home directory is.  However, we
 # cannot simply use the HOME environment variable, since there is no guarantee
@@ -113,14 +118,21 @@ chk_require()
 chk_gpg_keyring()
 { # Check whether the Guix release signing public key is present.
     _debug "--- [ $FUNCNAME ] ---"
-
-    # Without --dry-run this command will create a ~/.gnupg owned by root on
-    # systems where gpg has never been used, causing errors and confusion.
-    gpg --dry-run --list-keys ${OPENPGP_SIGNING_KEY_ID} >/dev/null 2>&1 || (
-        _err "${ERR}Missing OpenPGP public key.  Fetch it with this command:"
-        echo "  wget 'https://sv.gnu.org/people/viewgpg.php?user_id=15145' -qO 
- | sudo -i gpg --import -"
-        exit 1
-    )
+    local user_id
+    local gpg_key_id
+    local exit_flag
+
+    for user_id in "${!GPG_SIGNING_KEYS[@]}"; do
+        gpg_key_id=${GPG_SIGNING_KEYS[$user_id]}
+        # Without --dry-run this command will create a ~/.gnupg owned by root 
on
+        # systems where gpg has never been used, causing errors and confusion.
+        if ! gpg --dry-run --list-keys "$gpg_key_id" >/dev/null 2>&1; then
+            _err "${ERR}Missing OpenPGP public key ($gpg_key_id).  Fetch it 
with this command:"
+            echo "  wget 
\"https://sv.gnu.org/people/viewgpg.php?user_id=$user_id\"; -qO - | sudo -i gpg 
--import -"
+            exit_flag=yes
+        fi
+    done
+    test "$exit_flag" = yes && exit 1 || true
 }
 
 chk_term()
@@ -563,7 +575,7 @@ main()
             _err "$ARCH_OS not in ${GUIX_BINARY_FILE_NAME}; aborting"
         fi
         _msg "Using manually provided binary ${GUIX_BINARY_FILE_NAME}"
-        GUIX_BINARY_FILE_NAME=$(realpath $GUIX_BINARY_FILE_NAME)
+        GUIX_BINARY_FILE_NAME=$(realpath "$GUIX_BINARY_FILE_NAME")
     fi
 
     sys_create_store "${GUIX_BINARY_FILE_NAME}" "${tmp_path}"
reply via email to
[Prev in Thread] Current Thread [Next in Thread]