diff options
author | jperkin <jperkin@pkgsrc.org> | 2015-10-29 20:09:28 +0000 |
---|---|---|
committer | jperkin <jperkin@pkgsrc.org> | 2015-10-29 20:09:28 +0000 |
commit | 8d5f9574b06089fbe9c01de842c44d5120c8c813 (patch) | |
tree | c186458e27ec379d1861ec855c5cfec8f0efac69 /mk/pkgformat | |
parent | 269629486fa3a05d713f708f81a5dbdd4d5531fb (diff) | |
download | pkgsrc-8d5f9574b06089fbe9c01de842c44d5120c8c813.tar.gz |
Perform signing at the staged package stage rather than only during the
copy to the target pkgfile. Ensures consistency at all stages, means we
can support verifying the signature at install time, and also fixes signed
packages with recent pbulk changes which now invoke 'stage-package-create'
rather than 'package'.
Diffstat (limited to 'mk/pkgformat')
-rw-r--r-- | mk/pkgformat/pkg/package.mk | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk index 2453a903f2b..9150e5d862f 100644 --- a/mk/pkgformat/pkg/package.mk +++ b/mk/pkgformat/pkg/package.mk @@ -1,4 +1,4 @@ -# $NetBSD: package.mk,v 1.11 2015/09/07 11:02:28 jperkin Exp $ +# $NetBSD: package.mk,v 1.12 2015/10/29 20:09:28 jperkin Exp $ .if defined(PKG_SUFX) WARNINGS+= "PKG_SUFX is deprecated, please use PKG_COMPRESSION" @@ -70,30 +70,32 @@ _PKG_ARGS_PACKAGE+= -u ${REAL_ROOT_USER} -g ${REAL_ROOT_GROUP} .endif ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS} - ${RUN} ${MKDIR} ${.TARGET:H} @${STEP_MSG} "Creating binary package ${.TARGET}" - ${RUN} ${_ULIMIT_CMD} tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},}; \ - if ${PKG_CREATE} ${_PKG_ARGS_PACKAGE} "$$tmpname"; then \ - ${MV} -f "$$tmpname" ${.TARGET}; \ - else \ + ${RUN} ${MKDIR} ${.TARGET:H}; ${_ULIMIT_CMD} \ + tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},}; \ + if ! ${PKG_CREATE} ${_PKG_ARGS_PACKAGE} "$$tmpname"; then \ exitcode=$$?; ${RM} -f "$$tmpname"; exit $$exitcode; \ fi +.if !empty(SIGN_PACKAGES:U:Mgpg) + @${STEP_MSG} "Signing binary package ${.TARGET} (GPG)" + ${RUN} tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},}; \ + ${PKG_ADMIN} gpg-sign-package "$$tmpname" ${.TARGET} +.elif !empty(SIGN_PACKAGES:U:Mx509) + @${STEP_MSG} "Signing binary package ${.TARGET} (X509)" + ${RUN} tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},}; \ + ${PKG_ADMIN} x509-sign-package "$$tmpname" ${.TARGET} \ + ${X509_KEY} ${X509_CERTIFICATE} +.else + ${RUN} tmpname=${.TARGET:S,${PKG_SUFX}$,.tmp${PKG_SUFX},}; \ + ${MV} -f "$$tmpname" ${.TARGET} +.endif .if ${PKGFILE} != ${STAGE_PKGFILE} ${PKGFILE}: ${STAGE_PKGFILE} - ${RUN} ${MKDIR} ${.TARGET:H} -. if !empty(SIGN_PACKAGES:U:Mgpg) - @${STEP_MSG} "Creating signed binary package ${.TARGET} (GPG)" - ${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE} -. elif !empty(SIGN_PACKAGES:U:Mx509) - @${STEP_MSG} "Creating signed binary package ${.TARGET} (X509)" - ${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE} \ - ${X509_KEY} ${X509_CERTIFICATE} -. else @${STEP_MSG} "Creating binary package ${.TARGET}" - ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \ + ${RUN} ${MKDIR} ${.TARGET:H}; \ + ${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \ ${CP} -pf ${STAGE_PKGFILE} ${PKGFILE} -. endif .endif ###################################################################### |