From 185709221d4cd2f3a06fa3c4777e9e71d15ed09d Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Sat, 1 May 2021 00:27:14 -0400 Subject: [PATCH] guix-install.sh: Add support for more than one signing key. The forthcoming 1.3.0 release will be signed with my personal GnuPG key; the installation script need to tell users how fetch it. * etc/guix-install.sh (OPENPGP_SIGNING_KEY_ID): Remove variable. (GPG_SIGNING_KEYS): New associative array. (chk_gpg_keyring): Process all the keys contained in the above array. (main) : Double quote variable. --- etc/guix-install.sh | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/etc/guix-install.sh b/etc/guix-install.sh index fb221ab044..06a3edd1a6 100755 --- a/etc/guix-install.sh +++ b/etc/guix-install.sh @@ -64,7 +64,12 @@ INF="[ INFO ] " DEBUG=0 GNU_URL="https://ftp.gnu.org/gnu/guix/" #GNU_URL="https://alpha.gnu.org/gnu/guix/" -OPENPGP_SIGNING_KEY_ID="3CE464558A84FDC69DB40CFB090B11993D9AEBB5" + +# The following associative array holds set of GPG keys used to sign the +# releases, keyed by their corresponding Savannah user ID. +declare -A GPG_SIGNING_KEYS +GPG_SIGNING_KEYS[15145]=3CE464558A84FDC69DB40CFB090B11993D9AEBB5 # ludo +GPG_SIGNING_KEYS[127547]=27D586A4F8900854329FF09F1260E46482E63562 # maxim # This script needs to know where root's home directory is. However, we # cannot simply use the HOME environment variable, since there is no guarantee @@ -113,14 +118,21 @@ chk_require() chk_gpg_keyring() { # Check whether the Guix release signing public key is present. _debug "--- [ $FUNCNAME ] ---" + local user_id + local gpg_key_id + local exit_flag - # Without --dry-run this command will create a ~/.gnupg owned by root on - # systems where gpg has never been used, causing errors and confusion. - gpg --dry-run --list-keys ${OPENPGP_SIGNING_KEY_ID} >/dev/null 2>&1 || ( - _err "${ERR}Missing OpenPGP public key. Fetch it with this command:" - echo " wget 'https://sv.gnu.org/people/viewgpg.php?user_id=15145' -qO - | sudo -i gpg --import -" - exit 1 - ) + for user_id in "${!GPG_SIGNING_KEYS[@]}"; do + gpg_key_id=${GPG_SIGNING_KEYS[$user_id]} + # Without --dry-run this command will create a ~/.gnupg owned by root on + # systems where gpg has never been used, causing errors and confusion. + if ! gpg --dry-run --list-keys "$gpg_key_id" >/dev/null 2>&1; then + _err "${ERR}Missing OpenPGP public key ($gpg_key_id). Fetch it with this command:" + echo " wget \"https://sv.gnu.org/people/viewgpg.php?user_id=$user_id\" -qO - | sudo -i gpg --import -" + exit_flag=yes + fi + done + test "$exit_flag" = yes && exit 1 || true } chk_term() @@ -563,7 +575,7 @@ main() _err "$ARCH_OS not in ${GUIX_BINARY_FILE_NAME}; aborting" fi _msg "Using manually provided binary ${GUIX_BINARY_FILE_NAME}" - GUIX_BINARY_FILE_NAME=$(realpath $GUIX_BINARY_FILE_NAME) + GUIX_BINARY_FILE_NAME=$(realpath "$GUIX_BINARY_FILE_NAME") fi sys_create_store "${GUIX_BINARY_FILE_NAME}" "${tmp_path}"