diff --git a/CONFIGURING.md b/CONFIGURING.md index c9449231..72b08646 100644 --- a/CONFIGURING.md +++ b/CONFIGURING.md @@ -37,7 +37,8 @@ Base repository settings. Settings for signing packages or repository. Group name must refer to architecture, e.g. it should be `sign_x86_64` for x86_64 architecture. * `target` - configuration flag to enable signing, space separated list of strings, required. Allowed values are `package` (sign each package separately), `repository` (sign repository database file). -* `key` - PGP key, string, required. +* `key` - default PGP key, string, required. This key will also be used for database signing if enabled. +* `key_*` settings - PGP key which will be used for specific packages, string, optional. For example, if there is `key_yay` option the specified key will be used for yay package and default key for others. ## `report` group diff --git a/README.md b/README.md index 2c322911..6c083052 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Wrapper for managing custom repository inspired by [repo-scripts](https://github * Install-configure-forget manager for own repository * Multi-architecture support * VCS packages support -* Sign support with gpg +* Sign support with gpg (repository, package, per package settings) * Synchronization to remote services (rsync, s3) and report generation (html) * Repository status interface diff --git a/src/ahriman/core/repository.py b/src/ahriman/core/repository.py index 55eec6b3..ac088990 100644 --- a/src/ahriman/core/repository.py +++ b/src/ahriman/core/repository.py @@ -138,7 +138,7 @@ class Repository: for package in packages: local = Package.load(package, self.aur_url) # we will use it for status reports try: - files = self.sign.sign_package(package) + files = self.sign.sign_package(package, local.base) for src in files: dst = os.path.join(self.paths.repository, os.path.basename(src)) shutil.move(src, dst) diff --git a/src/ahriman/core/sign/gpg_wrapper.py b/src/ahriman/core/sign/gpg_wrapper.py index 09c3eee4..8225dbe3 100644 --- a/src/ahriman/core/sign/gpg_wrapper.py +++ b/src/ahriman/core/sign/gpg_wrapper.py @@ -32,37 +32,38 @@ class GPGWrapper: def __init__(self, architecture: str, config: Configuration) -> None: self.logger = logging.getLogger('build_details') - section = config.get_section_name('sign', architecture) - self.target = [SignSettings.from_option(opt) for opt in config.getlist(section, 'target')] - self.key = config.get(section, 'key') if self.target else None + self.config = config + self.section = config.get_section_name('sign', architecture) + self.target = [SignSettings.from_option(opt) for opt in config.getlist(self.section, 'target')] + self.default_key = config.get(self.section, 'key') if self.target else '' @property def repository_sign_args(self) -> List[str]: if SignSettings.SignRepository not in self.target: return [] - return ['--sign', '--key', self.key] if self.key else ['--sign'] + return ['--sign', '--key', self.default_key] - def process(self, path: str) -> List[str]: + def process(self, path: str, key: str) -> List[str]: check_output( - *self.sign_cmd(path), + *self.sign_cmd(path, key), exception=BuildFailed(path), cwd=os.path.dirname(path), logger=self.logger) return [path, f'{path}.sig'] - def sign_cmd(self, path: str) -> List[str]: + def sign_cmd(self, path: str, key: str) -> List[str]: cmd = ['gpg'] - if self.key is not None: - cmd.extend(['-u', self.key]) + cmd.extend(['-u', key]) cmd.extend(['-b', path]) return cmd - def sign_package(self, path: str) -> List[str]: + def sign_package(self, path: str, base: str) -> List[str]: if SignSettings.SignPackages not in self.target: return [path] - return self.process(path) + key = self.config.get(self.section, f'key_{base}', fallback=self.default_key) + return self.process(path, key) def sign_repository(self, path: str) -> List[str]: if SignSettings.SignRepository not in self.target: return [path] - return self.process(path) \ No newline at end of file + return self.process(path, self.default_key) \ No newline at end of file