sync: add automatic GPG key retrieval

In certain cases, the `auto-key-retrieve` option for gpg(1) does not result in a successfully imported keys. Furthermore, this option imports (possibly unverified) keys directly into the default user keyring. Use a different approach by creating a separate keyring which is used exclusively for verifying and importing gpg(1) keys with makepkg(8) or aur-chroot(1). The keyring location defaults to `$XDG_DATA_HOME/aurutils/sync/gnupg` and can be modified through the `AUR_SYNC_GNUPGHOME` environment variable. Automatic key retrieval can be disabled with `--no-key-retrieve` / `--nokeyretrieve`.

sync: add automatic GPG key retrieval
5d9f01c4 · Alad Wenter · 3cff371f · 5d9f01c4 · 5d9f01c4 · 5d9f01c4
Commit 5d9f01c4 authored 6 months ago by Alad Wenter
--- a/lib/aur-sync
+++ b/lib/aur-sync
@@ -6,8 +6,10 @@ argv0=sync
 XDG_CACHE_HOME=${XDG_CACHE_HOME:-$HOME/.cache}
 XDG_CONFIG_HOME=${XDG_CONFIG_HOME:-$HOME/.config}
 XDG_STATE_HOME=${XDG_STATE_HOME:-$HOME/.local/state}
+XDG_DATA_HOME=${XDG_DATA_HOME:-$HOME/.local/share}
 AURDEST=${AURDEST:-$XDG_CACHE_HOME/aurutils/$argv0}
 AUR_SYNC_USE_NINJA=${AUR_SYNC_USE_NINJA:-0}
+AUR_SYNC_GNUPGHOME=${AUR_SYNC_GNUPGHOME:-$XDG_DATA_HOME/aurutils/$argv0/gnupg}
 PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'

 # Avoid CDPATH screwing with cd (#1047)
@@ -18,7 +20,7 @@ build_args=(--syncdeps) build_repo_args=()
 depends_args=() view_args=() filter_args=() fetch_args=() graph_args=() reparse_args=()

 # default options
-build=1 chkver_depth=2 download=1 view=1 provides=1 graph=1 keep_going=1
+build=1 chkver_depth=2 download=1 view=1 provides=1 graph=1 keep_going=1 auto_key_retrieve=1

 # default options (disabled)
 rotate=0 update=0 repo_targets=0 columns=0
@@ -94,11 +96,11 @@ opt_long=('bind:' 'bind-rw:' 'database:' 'directory:' 'ignore:' 'root:'
          'rebuild' 'rebuild-tree' 'rebuild-all' 'ignore-file:' 'remove'
          'provides-from:' 'new' 'prevent-downgrade' 'verify' 'makepkg-args:'
          'format:' 'no-check' 'keep-going:' 'user:' 'rebase' 'reset' 'ff' 'exclude:'
-          'columns' 'prefix' 'save:' 'clean' 'cleanbuild')
+          'columns' 'prefix' 'save:' 'clean' 'cleanbuild' 'no-key-retrieve')
 opt_hidden=('dump-options' 'allan' 'ignorearch' 'ignorefile:' 'noconfirm'
            'nover' 'nograph' 'nosync' 'nover-argv' 'noview' 'noprovides' 'nobuild'
            'rebuildall' 'rebuildtree' 'rm-deps' 'gpg-sign' 'margs:' 'nocheck'
-            'no-checkdepends' 'nocheckdepends' 'optdepends' 'repo:')
+            'no-checkdepends' 'nocheckdepends' 'optdepends' 'repo:' 'nokeyretrieve')

 if opts=$(getopt -o "$opt_short" -l "$(args_csv "${opt_long[@]}" "${opt_hidden[@]}")" -n "$argv0" -- "$@"); then
    eval set -- "$opts"
@@ -146,6 +148,8 @@ while true; do
            view=0 ;;
        --noprovides|--no-provides)
            provides=0 ;;
+        --nokeyretrieve|--no-key-retrieve)
+            auto_key_retrieve=0 ;;
        --provides-from)
            shift; IFS=, read -a repo -r <<< "$1"
            repo_p+=("${repo[@]}")
@@ -386,6 +390,28 @@ else
    xargs -a "$tmp"/queue stat >/dev/null || exit 2 # ensure all directories are available
 fi

+if (( auto_key_retrieve )); then
+    # shellcheck disable=SC2174
+    mkdir -pm 0700 -- "$AUR_SYNC_GNUPGHOME"
+    declare -A keys_uniq
+
+    # Retrieve unique set of gpg keys to be imported
+    while IFS= read -r path; do
+        mapfile -t keys < <(pacini "$path"/.SRCINFO 'validpgpkeys')
+
+        for key in "${keys[@]}"; do
+            keys_uniq[$key]=1
+        done
+    done < "$tmp"/queue
+
+    if (( ${#keys_uniq[@]} )); then
+        printf >&2 '%s: importing key %s\n' "${!keys_uniq[@]}"
+        GNUPGHOME="$AUR_SYNC_GNUPGHOME" gpg --recv-keys "${!keys_uniq[@]}" >&2
+    fi
+    # Pass on verified keys to makepkg
+    build_args+=(--makepkg-gnupghome="$AUR_SYNC_GNUPGHOME")
+fi
+
 # Verify dependency tree (#20)
 if (( graph )); then
    if ! { while read -r pkg; do

--- a/makepkg/aurutils.changelog
+++ b/makepkg/aurutils.changelog
@@ -4,6 +4,11 @@
  + add `AUR_MAKEPKG_GNUPGHOME`, `--makepkg-gnupghome`
  + propagate `LOGDEST` to `aur-chroot`

+* `aur-sync`
+ + retrieve PGP keys to `AUR_SYNC_GNUPGHOME` keyring
+    - keyring defaults to `$XDG_DATA_HOME/aurutils/sync/gnupg`
+    - disable with `--no-key-retrieve`
+
 ## 20.1

 * `aur-chroot`

--- a/man1/aur-sync.1
+++ b/man1/aur-sync.1
@@ -257,6 +257,11 @@ Do not wait for user input when installing or removing build dependencies.
 Print target packages and their paths instead of building them.
 .
 .TP
+.BR \-\-nokeyretrieve ", " \-\-no\-key\-retrieve
+Do not automatically import PGP keys to
+.BR AUR_SYNC_GNUPGHOME .
+.
+.TP
 .BR \-C ", " \-\-clean
 Clean up leftover work files and directoreis after a successful build.
 .RB ( "aur build \-C" )
@@ -352,6 +357,13 @@ it is advised to set a persistent path such as
 .IR /home/aurpkgs .
 .
 .TP
+.B AUR_SYNC_GNUPGHOME
+The path where
+.B validpgpkeys
+are imported. Defaults to
+.IR XDG_DATA_HOME/aurutils/sync/gnupg .
+.
+.TP
 .B AUR_SYNC_USE_NINJA
 When set to a positive value, run
 .B aur\-build