repo-add_and_sign
Metadata
| Description: | Easily create signed Pacman package repositories. |
| Latest Version: | 2021.11.12 |
| Source Code: | src/ |
| Architecture: |
|
| Dependencies: |
|
| Arch Repositories: |
|
| AUR Page: | repo-add_and_sign |
| Arch Forum Thread: | 145763 |
| Tags: |
About
repo-add_and_sign is a Python 3 script that wraps gpg,
repo-add and repo-remove to batch-sign
packages and generate signed repositories. The script will only prompt
for a passphrase once and will not leave any keyring agents running. See
the FAQ below.
FAQ
Why not sign with makepkg and
repo-add?
To use those options you either need to enter a passphrase for each file, which is very tedious, or you need to run a keyring agent in the background. Unless you are constantly signing things, the agent is unnecessary most of the time. It is also a security risk because anyone who can get access to your system would be able to use your key while the agent is running.
How do I generate a key?
Short answer: gpg --gen-key
Long answer: GPGMiniHowto.
If you had to ask, I suggest at least skimming the documentation.
Help Message
$ repo-add_and_sign --help
usage: repo-add_and_sign [-h] [-r <name>] [-e <extension>] [-a <architecture>]
[-o <path>] [--no-sign] [-c] [-p] [-v] [-u <GPG UID>]
[--passphrase <GPG passphrase>] [--no-verify]
<pkg path> [<pkg path> ...]
Generate a signed repo for some packages.
options:
-h, --help show this help message and exit
Repo Options:
<pkg path> The packages to include in the repo. Use the "--arch"
option if you need to filter the input paths.
-r <name>, --repo <name>
The name of the repo to create.
-e <extension>, --archive-ext <extension>
The database archive extension. Default: ".tar.xz"
-a <architecture>, --arch <architecture>
Filter the input files by architecture compatibility,
e.g. "--arch x86_64" will only include "x86_64" and
"any" packages. This is useful when generating a repo
from a pool of packages.
-o <path>, --out <path>
The output directory in which to create the repo.
Defaults to the current directory.
--no-sign Do not sign packages and databases.
-c, --copy Copy extradirectorial packages instead of symlinking
them.
-p, --purge Purge older versions of packages and databases.
-v, --verbose Increase logging verbosity: once for INFO, twice for
DEBUG.
GPG Options:
-u <GPG UID>, --uid <GPG UID>
The user ID of the signing key. This option accepts
anything that can be passed to gpg's "-u" option.
--passphrase <GPG passphrase>
Optionally provide the passphrase of the signing key.
Warning: this option will expose your passphrase to
all users with access to your process list.
--no-verify Skip GPG verfication of existing signatures. Only
check timestamps. This is faster but it will not
detect existing invalid signatures.README
GPG Signing
For signing you will need to add allow-loopback-pinentry
to ~/.gnupg/gpg-agent.conf.
CHANGELOG
2021-02-12
- Fixed bug that reset password passed to main function.
2021-01-27
Refactored code:
- Refactored most code for modularity.
- Conform to PEP 8 style.
- Use proper logging with colored output if colorsysplus is installed.
- Use checksums and PGP signatures in database to check which files need to be added.
2014-05-17
- added
--copyoption as suggested by mortbauer from the Arch Linux forums
2013-01-31
- improved checking of signature modification times to ensure consistency
2013-01-01
- added
--verboseoption - delete matching signatures when purging old packages
- Contact
- echo xyne.archlinux.org | sed 's/\./@/'
- Validation
- XHTML 1.0 Strict CSS level 3 Atom 1.0