Add a brand new rpmkeys utility for keyring operations

- Keyring operations (adding/viewing/removing keys and verifying
  packages against a given keyring) are different from main rpm operations
  in that they only need access to the rpm keyring, and no write access
  anywhere else in the system. At the moment the rpm keyring happens
  to be the rpmdb but that's just an implementation detail that is
  likely to change sooner or later. Besides paving way to separating
  the rpm keyring from the rpmdb, splitting this to a small, separate
  utility allows limiting its required access from SELinux POV etc.
- For now, this only implements what's already in rpm: --import and
  --checksig, remaining operations like listing and manipulating
  keyring contents is left as an exercise for another day...

3 files changed, 84 insertions, 1 deletions

diff --git a/Makefile.am b/Makefile.am
index 2077f00ad..1398e0f38 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -78,7 +78,7 @@ pkginclude_HEADERS += build/rpmspec.h
 rpmbindir = `echo $(bindir) | $(SED) -e s,usr/bin,bin,`
 rpmbin_PROGRAMS = rpm
 
-bin_PROGRAMS =		rpm2cpio rpmbuild rpmsign
+bin_PROGRAMS =		rpm2cpio rpmbuild rpmkeys rpmsign
 
 rpmlibexec_PROGRAMS =
 rpmconfig_SCRIPTS =	find-provides find-requires mkinstalldirs \
@@ -98,6 +98,12 @@ rpm_LDADD =		libcliutils.la
 rpm_LDADD +=		build/librpmbuild.la lib/librpm.la rpmio/librpmio.la
 rpm_LDADD +=		@WITH_NSS_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
 
+rpmkeys_SOURCES =	rpmkeys.c debug.h system.h
+rpmkeys_CPPFLAGS =	$(AM_CPPFLAGS)
+rpmkeys_LDADD =		libcliutils.la
+rpmkeys_LDADD +=	lib/librpm.la rpmio/librpmio.la
+rpmkeys_LDADD +=	@WITH_NSS_LIB@ @WITH_POPT_LIB@ @WITH_ZLIB_LIB@
+
 rpmsign_SOURCES =	rpmsign.c debug.h system.h
 rpmsign_CPPFLAGS =	$(AM_CPPFLAGS)
 rpmsign_LDADD =		libcliutils.la
diff --git a/po/POTFILES.in b/po/POTFILES.in
index c1f28b0a5..dc6bea652 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -6,6 +6,7 @@ cliutils.c
 rpm2cpio.c
 rpmqv.c
 rpmbuild.c
+rpmkeys.c
 rpmsign.c
 build/build.c
 build/expression.c
diff --git a/rpmkeys.c b/rpmkeys.c
new file mode 100644
index 000000000..45ca47e4e
--- /dev/null
+++ b/rpmkeys.c
@@ -0,0 +1,76 @@
+#include "system.h"
+
+#include <popt.h>
+#include <rpm/rpmcli.h>
+#include "cliutils.h"
+#include "debug.h"
+
+#if !defined(__GLIBC__) && !defined(__APPLE__)
+char ** environ = NULL;
+#endif
+
+enum modes {
+    MODE_CHECKSIG	= (1 << 0),
+    MODE_IMPORTKEY	= (1 << 1),
+    MODE_DELKEY		= (1 << 2),
+    MODE_LISTKEY	= (1 << 3),
+};
+
+static int mode = 0;
+
+static struct poptOption optionsTable[] = {
+    { NULL, '\0', POPT_ARG_INCLUDE_TABLE, rpmcliAllPoptTable, 0,
+	N_("Common options for all rpm modes and executables:"), NULL },
+    { "checksig", 'K', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_CHECKSIG,
+	N_("verify package signature(s)"), NULL },
+    { "import", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_IMPORTKEY,
+	N_("import an armored public key"), NULL },
+#if 0
+    { "delete-key", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_DELKEY,
+	N_("list keys from RPM keyring"), NULL },
+    { "list-keys", '\0', (POPT_ARG_VAL|POPT_ARGFLAG_OR), &mode, MODE_LISTKEY,
+	N_("list keys from RPM keyring"), NULL },
+#endif
+
+    POPT_AUTOALIAS
+    POPT_AUTOHELP
+    POPT_TABLEEND
+};
+
+int main(int argc, char *argv[])
+{
+    int ec = EXIT_FAILURE;
+    poptContext optCon = rpmcliInit(argc, argv, optionsTable);
+    rpmts ts = rpmtsCreate();
+    ARGV_const_t args = NULL;
+    
+    if (argc < 2) {
+	printUsage(optCon, stderr, 0);
+	goto exit;
+    }
+
+    args = (ARGV_const_t) poptGetArgs(optCon);
+
+    if (mode != MODE_LISTKEY && args == NULL)
+	argerror(_("no arguments given"));
+
+    switch (mode) {
+    case MODE_CHECKSIG:
+	ec = rpmcliVerifySignatures(ts, args);
+	break;
+    case MODE_IMPORTKEY:
+	ec = rpmcliImportPubkeys(ts, args);
+	break;
+    /* XXX TODO: actually implement these... */
+    case MODE_DELKEY:
+    case MODE_LISTKEY:
+	break;
+    default:
+	argerror(_("only one major mode may be specified"));
+    }
+
+exit:
+    rpmtsFree(ts);
+    rpmcliFini(optCon);
+    return ec;
+}