allow to specify key overrides for packages

CONFIGURING.md

@@ -37,7 +37,8 @@ Base repository settings.
 Settings for signing packages or repository. Group name must refer to architecture, e.g. it should be `sign_x86_64` for x86_64 architecture.
 
 * `target` - configuration flag to enable signing, space separated list of strings, required. Allowed values are `package` (sign each package separately), `repository` (sign repository database file).
-* `key` - PGP key, string, required.
+* `key` - default PGP key, string, required. This key will also be used for database signing if enabled.
+* `key_*` settings - PGP key which will be used for specific packages, string, optional. For example, if there is `key_yay` option the specified key will be used for yay package and default key for others.
 
 ## `report` group
 

README.md

@@ -7,7 +7,7 @@ Wrapper for managing custom repository inspired by [repo-scripts](https://github
 * Install-configure-forget manager for own repository
 * Multi-architecture support
 * VCS packages support
-* Sign support with gpg
+* Sign support with gpg (repository, package, per package settings)
 * Synchronization to remote services (rsync, s3) and report generation (html) 
 * Repository status interface
 

src/ahriman/core/repository.py

@@ -138,7 +138,7 @@ class Repository:
         for package in packages:
             local = Package.load(package, self.aur_url)  # we will use it for status reports
             try:
-                files = self.sign.sign_package(package)
+                files = self.sign.sign_package(package, local.base)
                 for src in files:
                     dst = os.path.join(self.paths.repository, os.path.basename(src))
                     shutil.move(src, dst)

src/ahriman/core/sign/gpg_wrapper.py

@@ -32,37 +32,38 @@ class GPGWrapper:
 
     def __init__(self, architecture: str, config: Configuration) -> None:
         self.logger = logging.getLogger('build_details')
-        section = config.get_section_name('sign', architecture)
-        self.target = [SignSettings.from_option(opt) for opt in config.getlist(section, 'target')]
-        self.key = config.get(section, 'key') if self.target else None
+        self.config = config
+        self.section = config.get_section_name('sign', architecture)
+        self.target = [SignSettings.from_option(opt) for opt in config.getlist(self.section, 'target')]
+        self.default_key = config.get(self.section, 'key') if self.target else ''
 
     @property
     def repository_sign_args(self) -> List[str]:
         if SignSettings.SignRepository not in self.target:
             return []
-        return ['--sign', '--key', self.key] if self.key else ['--sign']
+        return ['--sign', '--key', self.default_key]
 
-    def process(self, path: str) -> List[str]:
+    def process(self, path: str, key: str) -> List[str]:
         check_output(
-            *self.sign_cmd(path),
+            *self.sign_cmd(path, key),
             exception=BuildFailed(path),
             cwd=os.path.dirname(path),
             logger=self.logger)
         return [path, f'{path}.sig']
 
-    def sign_cmd(self, path: str) -> List[str]:
+    def sign_cmd(self, path: str, key: str) -> List[str]:
         cmd = ['gpg']
-        if self.key is not None:
-            cmd.extend(['-u', self.key])
+        cmd.extend(['-u', key])
         cmd.extend(['-b', path])
         return cmd
 
-    def sign_package(self, path: str) -> List[str]:
+    def sign_package(self, path: str, base: str) -> List[str]:
         if SignSettings.SignPackages not in self.target:
             return [path]
-        return self.process(path)
+        key = self.config.get(self.section, f'key_{base}', fallback=self.default_key)
+        return self.process(path, key)
 
     def sign_repository(self, path: str) -> List[str]:
         if SignSettings.SignRepository not in self.target:
             return [path]
-        return self.process(path)
+        return self.process(path, self.default_key)