Pacman post install key script [work in progress]

Mr Green · 2012-04-05 12:09:30

Post install of Archbang SigLevel is set to Never and package signing is not set up. It is at the moment left to the user to set up pacman keys.

The following is the start of a small script that will hopefully help

pac-key

#!/bin/bash
# Pacman Keys install script
# by Mr Green and Oliver
# 

gpg_conf="/etc/pacman.d/gnupg/gpg.conf"

checkExitCode() {
	if ! [[ -f  $gpg_conf ]]; then
    echo "pacman-key failed to initialise... bailing"
    exit 1
  fi
}

checkEditFile() {
  if [[ $? -ne 0 ]]; then
		echo "something went wrong with editing file...bailing"
    mv ${gpg_conf}.default $gpg_conf
    exit 1
  fi
}

echo "Now running pacman-key this will take some time please wait!" 
pacman-key --init 

checkExitCode

# Backup gpupg.conf in case of any problems
cp -p $gpg_conf ${gpg_conf}.default

# Grab keys
sed -i '/^keyserver .*$/{x;s/$/keyserver hkp:\/\/pgp.mit.edu:11371/;G;}' $gpg_conf

checkEditFile

curl https://www.archlinux.org/{developers,trustedusers}/ | awk -F\" '(/pgp.mit.edu/) {sub(/.*search=0x/,"");print $1}' | xargs pacman-key --recv-keys

echo -e " Success... Please edit /etc/pacman.conf and set SigLevel \n See https://wiki.archlinux.org/index.php/Pacman-key for more details"

Any suggestions or additions most welcome

oliver · 2012-04-05 21:44:51

Just so it's straight in my head...

the "pacman-key --init" part creates the default gpg.conf file and they you have to substitute the default keyserver for the real one?

I'd be tempted to drop the variables and just do it directly (your sed command is also missing the -i)

sed -i 's/^keyserver .*$/keyserver hkp:\/\/pgp.mit.edu:11371/' /etc/pacman.d/gnupg/gpg.conf

(I'd also back it up too, just in case)

As always, this is untested for functionality/performance/lack-of-useless-use-of-cat-etc

#!/bin/bash
# Pacman Key install script

echo "Now running pacman-key this will take some time please wait!" 
pacman-key --init 

if ! [[ -f  /etc/pacman.d/gnupg/gpg.conf ]]; then
  echo "pacman-key failed to initialise... bailing"
  exit 1
fi

# Edit /etc/pacman.d/gnupg/gpg.conf
# keyserver hkp://pgp.mit.edu:11371

# Not sure about syntax as gpg.conf contains two keyserver lines
cp -p /etc/pacman.d/gnupg/gpg.conf /etc/pacman.d/gnupg/gpg.conf.default

sed -i 's/^keyserver .*$/keyserver hkp:\/\/pgp.mit.edu:11371/' /etc/pacman.d/gnupg/gpg.conf
if [[ $? -ne 0 ]]; then
  echo "something went wrong with editing file...bailing"
  mv /etc/pacman.d/gnupg/gpg.conf.default /etc/pacman.d/gnupg/gpg.conf
  exit 1
fi

curl https://www.archlinux.org/{developers,trustedusers}/ | awk -F\" '(/pgp.mit.edu/) {sub(/.*search=0x/,"");print $1}' | xargs pacman-key --recv-keys

# Set SigLevel in /etc/pacman.conf
# Possibly leave this down to user?
echo "SigLevel set to blah blah blah...."

You get the idea

Mr Green · 2012-04-05 23:21:44

Sed is a language in itself

Like the 'if' statements to capture any problems

There are two lines with keyserver in gpg.conf

keyserver hkp://keys.gnupg.net
keyserver-options timeout=10

Just have to make sure sed only changes one

Will test under virtual machine

Thanks

oliver · 2012-04-06 06:12:30

Mr Green wrote:

Just have to make sure sed only changes one

Hopefully, the <space> in the sed command ( ^keyserver .*$ ) ensures it ignores the keyserver-options line - it's kind of hard to notice, but it is in there. You could go a little further and make the line:

sed -i 's/^keyserver hkp.*$/keyserver hkp:\/\/pgp.mit.edu:11371/' /path/to/gpg.conf

Another option that would hopefully take changes to the upstream 'pacman-key --init' into account would be:

grep -vq '^keyserver hkp://pgp.mit.edu:11371$' /path/to/gpg.conf && sed -i 's/^keyserver hkp.*$/keyserver hkp:\/\/pgp.mit.edu:11371/' /path/to/gpg.conf

This way, the sed line only gets run if the appropriate line is not already in there. I would imagine there's a good reason why they didn't add it by default though.. and it doesn't cover all eventualities... I guess you've got to decide exactly how robust you want this thing to be... if you wanted it full-on-check-everything then you also need add a test for DNS (i.e. covering the lookup for the curl command and basic connectivity)

If you like the 'if' statement to capture problems, you could turn it into a function like:

checkExitCode()
{
  if [[ $? -ne 0 ]]; then
    echo "something went wrong... bailing"
    exit 1
  fi
}

and call it at numerous points in the script with: checkExitCode. You lose a little versatility (i.e. returning the default conf file back) but it's less code to maintain in the future. I don't know, personal choice I guess.

Mr Green · 2012-04-06 06:26:48

Am thinking it should be just a script that could be called if required, adding to openbox menu to me does not seem that good an idea.

Its a post install thing getting package signing working then left to user to sort future key updates and changes.

The SigLevel part is personal choice again we could open nano /etc/pacman.conf or use sed again but the options are many. I want to keep it KISS

Do not really want to go too far, we are assuming network connection is working [I could simply add an echo "Working Network Required!"]

Next we will be adding a gtk gui wrapper yuk!!!!

Something is nagging at the back of my mind as to checking a command has worked, 2&1>/dev/null is for suppressing output?

My girls guide to bash does not have much on '[' so still have some reading to do.

Yes script is looking good, its not going to make it into April release as I feel we need feedback testing etc, but could add a link to it if users wish to use it.

Mr Green · 2012-04-09 05:57:58

#!/bin/bash
# Pacman Key install script

echo "Now running pacman-key this will take some time please wait!" 
pacman-key --init 

if ! [[ -f  /etc/pacman.d/gnupg/gpg.conf ]]; then
  echo "pacman-key failed to initialise... bailing"
  exit 1
fi

# Backup gpupg.conf in case of any problems
cp -p /etc/pacman.d/gnupg/gpg.conf /etc/pacman.d/gnupg/gpg.conf.default

# Grab keys
sed -i 's/^keyserver .*$/keyserver hkp:\/\/pgp.mit.edu:11371/' /etc/pacman.d/gnupg/gpg.conf
if [[ $? -ne 0 ]]; then
  echo "something went wrong with editing file...bailing"
  mv /etc/pacman.d/gnupg/gpg.conf.default /etc/pacman.d/gnupg/gpg.conf
  exit 1
fi

curl https://www.archlinux.org/{developers,trustedusers}/ | awk -F\" '(/pgp.mit.edu/) {sub(/.*search=0x/,"");print $1}' | xargs pacman-key --recv-keys

echo "Success... Please edit /etc/pacman.conf and set SigLevel see https://wiki.archlinux.org/index.php/Pacman-key for more details"

Going to test this version, for such a small script adding a function really not worth it... still not sure about pacman-key --init, should the user run that ?

oliver · 2012-04-09 08:37:34

Mr Green wrote:

Going to test this version, for such a small script adding a function really not worth it... still not sure about pacman-key --init, should the user run that ?

IMO, it should be all or nothing but this is your project :-)

You could even put a wrapper script in /etc/rc.local that basically asks:

In pseudo code:

If there's no file called "ignore" do the following

Do you run to initialize pacman keys?
y) = yes
  run the main script
n) = never
  touch ignore file
s) = skip
  do nothing but carry on the boot process

Downside is that it will halt the boot process since it's interactive... but you could also put in a timer to automatically skip if no input within 10 seconds or so

Mr Green · 2012-04-09 09:01:13

#!/bin/bash
# Pacman Key install script

checkExitCode() {
	if ! [[ -f  /etc/pacman.d/gnupg/gpg.conf ]]; then
		echo "pacman-key failed to initialise... bailing"
		exit 1
	fi
}

checkEditFile() {
	if [[ $? -ne 0 ]]; then
		echo "something went wrong with editing file...bailing"
		mv /etc/pacman.d/gnupg/gpg.conf.default /etc/pacman.d/gnupg/gpg.conf
		exit 1
	fi
}

echo "Now running pacman-key this will take some time please wait!" 
pacman-key --init 

checkEditFile

# Backup gpupg.conf in case of any problems
cp -p /etc/pacman.d/gnupg/gpg.conf /etc/pacman.d/gnupg/gpg.conf.default

# Grab keys
sed -i 's/^keyserver .*$/keyserver hkp:\/\/pgp.mit.edu:11371/' /etc/pacman.d/gnupg/gpg.conf

checkExitCode

curl https://www.archlinux.org/{developers,trustedusers}/ | awk -F\" '(/pgp.mit.edu/) {sub(/.*search=0x/,"");print $1}' | xargs pacman-key --recv-keys

echo "Success... Please edit /etc/pacman.conf and set SigLevel see https://wiki.archlinux.org/index.php/Pacman-key for more details"

Think I need to reduce my tabs in Geany

pablokal suggested code run from a keybind, gives user the choice.

Really dumb idea time what about creating a hook?

oliver · 2012-04-09 11:24:50

I've never created a hook, no idea about how involved it is.

Do you think there's a possibility that the gpg.conf file would ever take multiple keyserver lines? If so, you do risk overwriting existing good data.

The following might be safer

sed '/^keyserver .*$/{x;s/$/keyserver hkp:\/\/pgp.mit.edu:11371/;G;}' gpg.conf

This should find the first instance of keyserver and add a new line above it (and not modify the existing lines)

Mr Green · 2012-04-09 13:01:35

Knowing Arch yes, it changes daily the sed was always going to be a concern.

A hook maybe a little too far, do not want to mess around with boot process.

Mr Green · 2012-04-10 03:32:43

#!/bin/bash
# Pacman Key install script

gpg_conf="/etc/pacman.d/gnupg/gpg.conf"

checkExitCode() {
  if ! [[ -f  $gpg_conf ]]; then
       echo "pacman-key failed to initialise... bailing"
       exit 1
  fi
}

checkEditFile() {
  if [[ $? -ne 0 ]]; then
	echo "something went wrong with editing file...bailing"
         mv ${gpg_conf}.default $gpg_conf
         exit 1
  fi
}

echo "Now running pacman-key this will take some time please wait!" 
pacman-key --init 

checkExitCode

# Backup gpupg.conf in case of any problems
cp -p $gpg_conf ${gpg_conf}.default

# Grab keys
sed -i '/^keyserver .*$/{x;s/$/keyserver hkp:\/\/pgp.mit.edu:11371/;G;}' $gpg_conf

checkEditFile

curl https://www.archlinux.org/{developers,trustedusers}/ |
awk -F\" '(/pgp.mit.edu/) {sub(/.*search=0x/,"");print $1}' |
xargs pacman-key --recv-keys

echo "Success... Please edit /etc/pacman.conf and set SigLevel see https://wiki.archlinux.org/index.php/Pacman-key for more details"

Added sed updated line [do I still need -i?] also gpg_conf [path to config] not sure if my ${gpg_conf}.default will work

Mr Green · 2012-04-10 05:53:49

New config file looks like this

[mrgreen@archbang ~]$ more gpg.conf 
no-greeting
no-permission-warning
lock-never
keyserver hkp://pgp.mit.edu:11371
keyserver hkp://keys.gnupg.net
keyserver-options timeout=10

Script works, got to check on next update if keys work... *.default can be removed/restored at script end [function]?

Back to the script lab

oliver · 2012-04-10 06:36:28

Mr Green wrote:

Added sed updated line [do I still need -i?]

" -i" means you will edit the file "in place".... without it, the changes will be sent to std-out (i.e. the screen) or you redirect them to a temporary file - so the following two commands are functionally equivalent:

command 1
sed 's/foo/bar/' file1 > file2
mv file2 file1

command 2
sed -i 's/foo/bar/' file1

oliver · 2012-04-10 06:40:38

Mr Green wrote:

Script works, got to check on next update if keys work... *.default can be removed/restored at script end [function]?
Back to the script lab

Looks like you're calling 'checkExitCode' twice and checkEditFile not at all :-)

TBH, if you're only calling each one once, turning it into a function isn't really any benefit except it does make the main body of the script a little neater and easier to read. The real bonus is when you want to check the exit code (for example) multiple times - you only have to define the 'if [whatever]' statement once

Mr Green · 2012-04-10 06:46:06

Oppps I got it .... will change that.

No I like easier to read

Mr Green · 2012-04-10 08:33:48

Thought echo at end of script may not display right so

echo -e " Success... Please edit /etc/pacman.conf and set SigLevel \n See https://wiki.archlinux.org/index.php/Pacman-key for more details"

Added echo -e

Arch Linux

Announcement

#1 2012-04-05 12:09:30

Pacman post install key script [work in progress]

#2 2012-04-05 21:44:51

Re: Pacman post install key script [work in progress]

#3 2012-04-05 23:21:44

Re: Pacman post install key script [work in progress]

#4 2012-04-06 06:12:30

Re: Pacman post install key script [work in progress]

#5 2012-04-06 06:26:48

Re: Pacman post install key script [work in progress]

#6 2012-04-09 05:57:58

Re: Pacman post install key script [work in progress]

#7 2012-04-09 08:37:34

Re: Pacman post install key script [work in progress]

#8 2012-04-09 09:01:13

Re: Pacman post install key script [work in progress]

#9 2012-04-09 11:24:50

Re: Pacman post install key script [work in progress]

#10 2012-04-09 13:01:35

Re: Pacman post install key script [work in progress]

#11 2012-04-10 03:32:43

Re: Pacman post install key script [work in progress]

#12 2012-04-10 05:53:49

Re: Pacman post install key script [work in progress]

#13 2012-04-10 06:36:28

Re: Pacman post install key script [work in progress]

#14 2012-04-10 06:40:38

Re: Pacman post install key script [work in progress]

#15 2012-04-10 06:46:06

Re: Pacman post install key script [work in progress]

#16 2012-04-10 08:33:48

Re: Pacman post install key script [work in progress]

Board footer