From 93ba4efb69e511f8ed5efd2959b69535104068f5 Mon Sep 17 00:00:00 2001
From: joerg <joerg>
Date: Tue, 27 Jan 2009 22:24:05 +0000
Subject: pkg_install-20090127: Add options to specify user-id and keyrings for
 GPG operations.

---
 pkgtools/pkg_install/files/lib/gpgsig.c               | 10 +++++-----
 pkgtools/pkg_install/files/lib/lib.h                  |  8 ++++++--
 pkgtools/pkg_install/files/lib/parse-config.c         | 12 ++++++++++--
 pkgtools/pkg_install/files/lib/pkg_install.conf.5     | 13 +++++++++++--
 pkgtools/pkg_install/files/lib/pkg_install.conf.cat5  | 19 +++++++++++++++++--
 pkgtools/pkg_install/files/lib/pkg_signature.c        |  8 ++++----
 pkgtools/pkg_install/files/lib/version.h              |  4 ++--
 pkgtools/pkg_install/files/lib/vulnerabilities-file.c |  6 +++---
 8 files changed, 58 insertions(+), 22 deletions(-)
diff --git a/pkgtools/pkg_install/files/lib/gpgsig.c b/pkgtools/pkg_install/files/lib/gpgsig.c
index 98296b13886..810f04cf710 100644
--- a/pkgtools/pkg_install/files/lib/gpgsig.c
+++ b/pkgtools/pkg_install/files/lib/gpgsig.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: gpgsig.c,v 1.1.2.1 2008/12/30 15:55:57 joerg Exp $	*/
+/*	$NetBSD: gpgsig.c,v 1.1.2.2 2009/01/27 22:24:05 joerg Exp $	*/
 #if HAVE_CONFIG_H
 #include "config.h"
 #endif
@@ -7,7 +7,7 @@
 #include <sys/cdefs.h>
 #endif
 
-__RCSID("$NetBSD: gpgsig.c,v 1.1.2.1 2008/12/30 15:55:57 joerg Exp $");
+__RCSID("$NetBSD: gpgsig.c,v 1.1.2.2 2009/01/27 22:24:05 joerg Exp $");
 
 /*-
  * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
@@ -108,9 +108,9 @@ verify_signature(const char *input, size_t input_len, const char *keyring,
 }
 
 int
-inline_gpg_verify(const char *content, size_t len)
+inline_gpg_verify(const char *content, size_t len, const char *keyring)
 {
-	verify_signature(content, len, NULL, NULL);
+	verify_signature(content, len, keyring, NULL);
 
 	return 0;
 }
@@ -212,7 +212,7 @@ detached_gpg_sign(const char *content, size_t len, char **sig, size_t *sig_len,
 		}
 		if (keyring != NULL) {
 			*argvp++ = "--no-default-keyring";
-			*argvp++ = "--keyring";
+			*argvp++ = "--secret-keyring";
 			*argvp++ = keyring;
 		}
 
diff --git a/pkgtools/pkg_install/files/lib/lib.h b/pkgtools/pkg_install/files/lib/lib.h
index 50b7f554cef..7ab5b9ad695 100644
--- a/pkgtools/pkg_install/files/lib/lib.h
+++ b/pkgtools/pkg_install/files/lib/lib.h
@@ -1,4 +1,4 @@
-/* $NetBSD: lib.h,v 1.42.2.17 2009/01/08 00:01:31 joerg Exp $ */
+/* $NetBSD: lib.h,v 1.42.2.18 2009/01/27 22:24:05 joerg Exp $ */
 
 /* from FreeBSD Id: lib.h,v 1.25 1997/10/08 07:48:03 charnier Exp */
 
@@ -393,7 +393,7 @@ int easy_pkcs7_sign(const char *, size_t, char **, size_t *, const char *,
     const char *);
 #endif
 
-int inline_gpg_verify(const char *, size_t);
+int inline_gpg_verify(const char *, size_t, const char *);
 int detached_gpg_verify(const char *, size_t, const char *, size_t,
     const char *);
 int detached_gpg_sign(const char *, size_t, char **, size_t *, const char *,
@@ -416,6 +416,10 @@ extern const char *check_vulnerabilities;
 extern const char *config_file;
 extern const char *verified_installation;
 extern const char *gpg_cmd;
+extern const char *gpg_keyring_pkgvuln;
+extern const char *gpg_keyring_sign;
+extern const char *gpg_keyring_verify;
+extern const char *gpg_sign_as;
 extern char fetch_flags[];
 
 extern const char *pkg_vulnerabilities_dir;
diff --git a/pkgtools/pkg_install/files/lib/parse-config.c b/pkgtools/pkg_install/files/lib/parse-config.c
index d629c85c3af..336a50d50e7 100644
--- a/pkgtools/pkg_install/files/lib/parse-config.c
+++ b/pkgtools/pkg_install/files/lib/parse-config.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: parse-config.c,v 1.1.2.6 2009/01/08 00:01:31 joerg Exp $	*/
+/*	$NetBSD: parse-config.c,v 1.1.2.7 2009/01/27 22:24:05 joerg Exp $	*/
 
 #if HAVE_CONFIG_H
 #include "config.h"
@@ -8,7 +8,7 @@
 #include <sys/cdefs.h>
 #endif
 #ifndef lint
-__RCSID("$NetBSD: parse-config.c,v 1.1.2.6 2009/01/08 00:01:31 joerg Exp $");
+__RCSID("$NetBSD: parse-config.c,v 1.1.2.7 2009/01/27 22:24:05 joerg Exp $");
 #endif
 
 /*-
@@ -61,6 +61,10 @@ const char *certs_pkg_vulnerabilities;
 const char *check_vulnerabilities;
 const char *verified_installation;
 const char *gpg_cmd;
+const char *gpg_keyring_pkgvuln;
+const char *gpg_keyring_sign;
+const char *gpg_keyring_verify;
+const char *gpg_sign_as;
 const char *pkg_vulnerabilities_dir;
 const char *pkg_vulnerabilities_file;
 const char *pkg_vulnerabilities_url;
@@ -80,6 +84,10 @@ static struct config_variable {
 	{ "GPG", &gpg_cmd },
 	{ "IGNORE_PROXY", &ignore_proxy },
 	{ "IGNORE_URL", &ignore_advisories },
+	{ "GPG_KEYRING_PKGVULN", &gpg_keyring_pkgvuln },
+	{ "GPG_KEYRING_SIGN", &gpg_keyring_sign },
+	{ "GPG_KEYRING_VERIFY", &gpg_keyring_verify },
+	{ "GPG_SIGN_AS", &gpg_sign_as },
 	{ "PKGVULNDIR", &pkg_vulnerabilities_dir },
 	{ "PKGVULNURL", &pkg_vulnerabilities_url },
 	{ "VERBOSE_NETIO", &verbose_netio },
diff --git a/pkgtools/pkg_install/files/lib/pkg_install.conf.5 b/pkgtools/pkg_install/files/lib/pkg_install.conf.5
index 516c489c288..5b15622778b 100644
--- a/pkgtools/pkg_install/files/lib/pkg_install.conf.5
+++ b/pkgtools/pkg_install/files/lib/pkg_install.conf.5
@@ -1,4 +1,4 @@
-.\"	$NetBSD: pkg_install.conf.5,v 1.1.2.5 2009/01/08 09:14:12 wiz Exp $
+.\"	$NetBSD: pkg_install.conf.5,v 1.1.2.6 2009/01/27 22:24:05 joerg Exp $
 .\"
 .\" Copyright (c) 2008, 2009 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -80,7 +80,6 @@ A missing pkg-vulnerabilities file is considered an error.
 The user is always asked to confirm installation of vulnerable packages.
 .El
 .It Dv GPG
-Deprecated.
 Path to
 .Xr gpg 1 ,
 which can be used to verify the signature in the
@@ -89,6 +88,16 @@ file when running
 .Dl Ic pkg_admin check-pkg-vulnerabilities -s
 or
 .Dl Ic pkg_admin fetch-pkg-vulnerabilities -s
+It can also be used to verify and sign binary packages.
+.It Dv GPG_KEYRING_PKGVULN
+Non-default keyring to use for verifying GPG signatures of
+.Pa pkg-vulnerabilities.
+.It Dv GPG_KEYRING_SIGN
+Non-default keyring to use for signing packages with GPG.
+.It Dv GPG_KEYRING_VERIFY
+Non-default keyring to use for verifying GPG signature of packages.
+.It Dv GPG_SIGN_AS
+User-id to use for signing packages.
 .It Dv IGNORE_PROXY
 Use direct connections and ignore
 .Ev FTP_PROXY
diff --git a/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5 b/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5
index e720f985e55..00b964d1177 100644
--- a/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5
+++ b/pkgtools/pkg_install/files/lib/pkg_install.conf.cat5
@@ -44,11 +44,26 @@ DDEESSCCRRIIPPTTIIOONN
              interactive    The user is always asked to confirm installation
                             of vulnerable packages.
 
-     GPG     Deprecated.  Path to gpg(1), which can be used to verify the sig-
-             nature in the _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file when running
+     GPG     Path to gpg(1), which can be used to verify the signature in the
+             _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s file when running
                    ppkkgg__aaddmmiinn cchheecckk--ppkkgg--vvuullnneerraabbiilliittiieess --ss
              or
                    ppkkgg__aaddmmiinn ffeettcchh--ppkkgg--vvuullnneerraabbiilliittiieess --ss
+             It can also be used to verify and sign binary packages.
+
+     GPG_KEYRING_PKGVULN
+             Non-default keyring to use for verifying GPG signatures of
+             _p_k_g_-_v_u_l_n_e_r_a_b_i_l_i_t_i_e_s_.
+
+     GPG_KEYRING_SIGN
+             Non-default keyring to use for signing packages with GPG.
+
+     GPG_KEYRING_VERIFY
+             Non-default keyring to use for verifying GPG signature of pack-
+             ages.
+
+     GPG_SIGN_AS
+             User-id to use for signing packages.
 
      IGNORE_PROXY
              Use direct connections and ignore FTP_PROXY and HTTP_PROXY.
diff --git a/pkgtools/pkg_install/files/lib/pkg_signature.c b/pkgtools/pkg_install/files/lib/pkg_signature.c
index 63ad25c9ef1..13fc7f53a81 100644
--- a/pkgtools/pkg_install/files/lib/pkg_signature.c
+++ b/pkgtools/pkg_install/files/lib/pkg_signature.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: pkg_signature.c,v 1.1.2.7 2008/12/30 15:55:57 joerg Exp $	*/
+/*	$NetBSD: pkg_signature.c,v 1.1.2.8 2009/01/27 22:24:05 joerg Exp $	*/
 
 #if HAVE_CONFIG_H
 #include "config.h"
@@ -7,7 +7,7 @@
 #if HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
 #endif
-__RCSID("$NetBSD: pkg_signature.c,v 1.1.2.7 2008/12/30 15:55:57 joerg Exp $");
+__RCSID("$NetBSD: pkg_signature.c,v 1.1.2.8 2009/01/27 22:24:05 joerg Exp $");
 
 /*-
  * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
@@ -352,7 +352,7 @@ pkg_verify_signature(struct archive **archive, struct archive_entry **entry,
 			goto no_valid_signature;
 		}
 		has_sig = !detached_gpg_verify(hash_file, hash_len,
-		    signature_file, signature_len, NULL);
+		    signature_file, signature_len, gpg_keyring_verify);
 
 		free(signature_file);
 	} else {
@@ -636,7 +636,7 @@ pkg_sign_gpg(const char *name, const char *output)
 	hash_file = tmp;
 
 	if (detached_gpg_sign(hash_file, strlen(hash_file), &signature_file,
-	    &signature_len, NULL, NULL))
+	    &signature_len, gpg_keyring_sign, gpg_sign_as))
 		err(EXIT_FAILURE, "Cannot sign hash file");
 
 	lseek(fd, 0, SEEK_SET);
diff --git a/pkgtools/pkg_install/files/lib/version.h b/pkgtools/pkg_install/files/lib/version.h
index 13832d54163..a55a697bf17 100644
--- a/pkgtools/pkg_install/files/lib/version.h
+++ b/pkgtools/pkg_install/files/lib/version.h
@@ -1,4 +1,4 @@
-/*	$NetBSD: version.h,v 1.102.2.20 2009/01/08 00:01:31 joerg Exp $	*/
+/*	$NetBSD: version.h,v 1.102.2.21 2009/01/27 22:24:06 joerg Exp $	*/
 
 /*
  * Copyright (c) 2001 Thomas Klausner.  All rights reserved.
@@ -27,6 +27,6 @@
 #ifndef _INST_LIB_VERSION_H_
 #define _INST_LIB_VERSION_H_
 
-#define PKGTOOLS_VERSION "20090108"
+#define PKGTOOLS_VERSION "20090127"
 
 #endif /* _INST_LIB_VERSION_H_ */
diff --git a/pkgtools/pkg_install/files/lib/vulnerabilities-file.c b/pkgtools/pkg_install/files/lib/vulnerabilities-file.c
index ec5b797a130..7f70fdcfddf 100644
--- a/pkgtools/pkg_install/files/lib/vulnerabilities-file.c
+++ b/pkgtools/pkg_install/files/lib/vulnerabilities-file.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: vulnerabilities-file.c,v 1.3.4.8 2008/12/30 15:55:57 joerg Exp $	*/
+/*	$NetBSD: vulnerabilities-file.c,v 1.3.4.9 2009/01/27 22:24:06 joerg Exp $	*/
 
 /*-
  * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
@@ -38,7 +38,7 @@
 #if HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
 #endif
-__RCSID("$NetBSD: vulnerabilities-file.c,v 1.3.4.8 2008/12/30 15:55:57 joerg Exp $");
+__RCSID("$NetBSD: vulnerabilities-file.c,v 1.3.4.9 2009/01/27 22:24:06 joerg Exp $");
 
 #if HAVE_SYS_STAT_H
 #include <sys/stat.h>
@@ -109,7 +109,7 @@ verify_signature(const char *input, size_t input_len)
 		    "At least GPG or CERTIFICATE_ANCHOR_PKGVULN "
 		    "must be configured");
 	if (gpg_cmd != NULL)
-		inline_gpg_verify(input, input_len);
+		inline_gpg_verify(input, input_len, gpg_keyring_pkgvuln);
 	if (certs_pkg_vulnerabilities != NULL)
 		verify_signature_pkcs7(input);
 }
-- 
cgit v1.2.3

