Create signed packages automatically if desired. It is disabled by default,

and documented in mk/defaults/mk.conf. Both the "gpg" and "x509" methods
supported by pkg_admin(1) are supported. With package signing enabled, a
staging, unsigned copy of the package is always created, and its final copy
to the package repository is done with pkg_admin(1) instead of "ln || cp".
Proper operation should otherwise not be affected.

Tested both with and without user-destdir support in packages.

"can live with it" joerg@

From EdgeBSD.

2 files changed, 34 insertions, 4 deletions

diff --git a/mk/defaults/mk.conf b/mk/defaults/mk.conf
index 7af219ccd50..b225240fb7b 100644
--- a/mk/defaults/mk.conf
+++ b/mk/defaults/mk.conf
@@ -1,4 +1,4 @@
-# $NetBSD: mk.conf,v 1.238 2014/03/11 14:07:04 jperkin Exp $
+# $NetBSD: mk.conf,v 1.239 2014/04/06 15:04:16 khorben Exp $
 #
 
 # This file provides default values for variables that may be overridden
@@ -71,6 +71,21 @@ GZIP?=	-9
 # Possible: defined, not defined
 # Default: not defined
 
+#SIGN_PACKAGES=
+# sign the packages generated with the method specified.
+# Possible: gpg, x509, not defined
+# Default: not defined
+
+#X509_KEY=
+# key to use when signing packages with an X509 certificate.
+# Possible: pathname to the key file, not defined
+# Default: not defined
+
+#X509_CERTIFICATE=
+# certificate to use when signing packages with an X509 certificate.
+# Possible: pathname to the X509 certificate, not defined
+# Default: not defined
+
 .if defined(PKG_DEVELOPER) && ${PKG_DEVELOPER} != "no"
 PATCH_DEBUG?=
 .endif
diff --git a/mk/pkgformat/pkg/package.mk b/mk/pkgformat/pkg/package.mk
index bfbfe57ce16..ddc8be16a07 100644
--- a/mk/pkgformat/pkg/package.mk
+++ b/mk/pkgformat/pkg/package.mk
@@ -1,4 +1,4 @@
-# $NetBSD: package.mk,v 1.3 2013/08/10 06:05:57 obache Exp $
+# $NetBSD: package.mk,v 1.4 2014/04/06 15:04:16 khorben Exp $
 
 .if defined(PKG_SUFX)
 WARNINGS+=		"PKG_SUFX is deprecated, please use PKG_COMPRESSION"
@@ -14,7 +14,13 @@ PKG_SUFX?=		.tgz
 FILEBASE?=		${PKGBASE}
 PKGFILE?=		${PKGREPOSITORY}/${FILEBASE}-${PKGVERSION}${PKG_SUFX}
 .if ${_USE_DESTDIR} == "no"
+. if !empty(SIGN_PACKAGES:Mgpg)
+STAGE_PKGFILE?=		${WRKDIR}/.packages/${FILEBASE}-${PKGVERSION}${PKG_SUFX}
+. elif !empty(SIGN_PACKAGES:Mx509)
+STAGE_PKGFILE?=		${WRKDIR}/.packages/${FILEBASE}-${PKGVERSION}${PKG_SUFX}
+. else
 STAGE_PKGFILE?=		${PKGFILE}
+. endif
 .else
 STAGE_PKGFILE?=		${WRKDIR}/.packages/${FILEBASE}-${PKGVERSION}${PKG_SUFX}
 .endif
@@ -38,7 +44,7 @@ package-check-installed:
 ### package-create creates the binary package.
 ###
 .PHONY: package-create
-package-create: package-remove ${PKGFILE} package-links
+package-create: ${PKGFILE} package-links
 
 ######################################################################
 ### stage-package-create (PRIVATE, pkgsrc/mk/package/package.mk)
@@ -76,12 +82,21 @@ ${STAGE_PKGFILE}: ${_CONTENTS_TARGETS}
 		exitcode=$$?; ${RM} -f "$$tmpname"; exit $$exitcode;	\
 	fi
 
-.if ${_USE_DESTDIR} != "no"
+.if ${PKGFILE} != ${STAGE_PKGFILE}
 ${PKGFILE}: ${STAGE_PKGFILE}
 	${RUN} ${MKDIR} ${.TARGET:H}
+. if !empty(SIGN_PACKAGES:Mgpg)
+	@${STEP_MSG} "Creating signed binary package ${.TARGET} (GPG)"
+	${PKG_ADMIN} gpg-sign-package ${STAGE_PKGFILE} ${PKGFILE}
+. elif !empty(SIGN_PACKAGES:Mx509)
+	@${STEP_MSG} "Creating signed binary package ${.TARGET} (X509)"
+	${PKG_ADMIN} x509-sign-package ${STAGE_PKGFILE} ${PKGFILE}	\
+		${X509_KEY} ${X509_CERTIFICATE}
+. else
 	@${STEP_MSG} "Creating binary package ${.TARGET}"
 	${LN} -f ${STAGE_PKGFILE} ${PKGFILE} 2>/dev/null || \
 		${CP} -pf ${STAGE_PKGFILE} ${PKGFILE}
+. endif
 .endif
 
 ######################################################################