doc: Document using VCS sources in a PKGBUILD
[pacman-ng.git] / scripts / pacman-key.sh.in
blobe5b602141d0a7d33c7ffb679d39edd753243f97b
1 #!/bin/bash
3 # pacman-key - manages pacman's keyring
4 # Based on apt-key, from Debian
5 # @configure_input@
7 # Copyright (c) 2010-2012 Pacman Development Team <pacman-dev@archlinux.org>
9 # This program is free software; you can redistribute it and/or modify
10 # it under the terms of the GNU General Public License as published by
11 # the Free Software Foundation; either version 2 of the License, or
12 # (at your option) any later version.
14 # This program is distributed in the hope that it will be useful,
15 # but WITHOUT ANY WARRANTY; without even the implied warranty of
16 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 # GNU General Public License for more details.
19 # You should have received a copy of the GNU General Public License
20 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 # gettext initialization
24 export TEXTDOMAIN='pacman-scripts'
25 export TEXTDOMAINDIR='@localedir@'
27 declare -r myver="@PACKAGE_VERSION@"
29 # Options
30 ADD=0
31 DELETE=0
32 EDITKEY=0
33 EXPORT=0
34 FINGER=0
35 IMPORT=0
36 IMPORT_TRUSTDB=0
37 INIT=0
38 KEYSERVER=''
39 LISTKEYS=0
40 LISTSIGS=0
41 LSIGNKEY=0
42 POPULATE=0
43 RECEIVE=0
44 REFRESH=0
45 UPDATEDB=0
46 VERIFY=0
48 DEFAULT_KEYSERVER='hkp://pool.sks-keyservers.net'
50 m4_include(library/output_format.sh)
52 m4_include(library/parseopts.sh)
54 usage() {
55 printf "pacman-key (pacman) %s\n" ${myver}
56 echo
57 printf -- "$(gettext "Usage: %s [options] operation [targets]")\n" $(basename $0)
58 echo
59 printf -- "$(gettext "Manage pacman's list of trusted keys")\n"
60 echo
61 printf -- "$(gettext "Operations:")\n"
62 printf -- "$(gettext " -a, --add Add the specified keys (empty for stdin)")\n"
63 printf -- "$(gettext " -d, --delete Remove the specified keyids")\n"
64 printf -- "$(gettext " -e, --export Export the specified or all keyids")\n"
65 printf -- "$(gettext " -f, --finger List fingerprint for specified or all keyids")\n"
66 printf -- "$(gettext " -l, --list-keys List the specified or all keys")\n"
67 printf -- "$(gettext " -r, --recv-keys Fetch the specified keyids")\n"
68 printf -- "$(gettext " -u, --updatedb Update the trustdb of pacman")\n"
69 printf -- "$(gettext " -v, --verify Verify the file(s) specified by the signature(s)")\n"
70 printf -- "$(gettext " --edit-key Present a menu for key management task on keyids")\n"
71 printf -- "$(gettext " --import Imports pubring.gpg from dir(s)")\n"
72 printf -- "$(gettext " --import-trustdb Imports ownertrust values from trustdb.gpg in dir(s)")\n"
73 printf -- "$(gettext " --init Ensure the keyring is properly initialized")\n"
74 printf -- "$(gettext " --list-sigs List keys and their signatures")\n"
75 printf -- "$(gettext " --lsign-key Locally sign the specified keyid")\n"
76 printf -- "$(gettext " --populate Reload the default keys from the (given) keyrings\n\
77 in '%s'")\n" "@pkgdatadir@/keyrings"
78 printf -- "$(gettext " --refresh-keys Update specified or all keys from a keyserver")\n"
79 echo
80 printf -- "$(gettext "Options:")\n"
81 printf -- "$(gettext " --config <file> Use an alternate config file (instead of\n\
82 '%s')")\n" "@sysconfdir@/pacman.conf"
83 printf -- "$(gettext " --gpgdir <dir> Set an alternate directory for GnuPG (instead\n\
84 of '%s')")\n" "@sysconfdir@/pacman.d/gnupg"
85 printf -- "$(gettext " --keyserver <server-url> Specify a keyserver to use if necessary")\n"
86 echo
87 printf -- "$(gettext " -h, --help Show this help message and exit")\n"
88 printf -- "$(gettext " -V, --version Show program version")\n"
91 version() {
92 printf "pacman-key (pacman) %s\n" "${myver}"
93 printf -- "$(gettext "\
94 Copyright (c) 2010-2012 Pacman Development Team <pacman-dev@archlinux.org>.\n\
95 This is free software; see the source for copying conditions.\n\
96 There is NO WARRANTY, to the extent permitted by law.\n")"
99 # read the config file "$1" which has key=value pairs, and return the key which
100 # matches "$2". the equals sign between pairs may be surrounded by any amount
101 # of whitespace. Optionally, "$3" can be specified which is the default value
102 # when no key is found.
103 get_from() {
104 while IFS='=' read -r key value; do
105 [[ -z $key || ${key:0:1} = '#' ]] && continue
107 if [[ ${key%% *} = "$2" && -n ${value##* } ]]; then
108 echo "${value##* }"
109 return 0
111 done < "$1"
112 if [[ -n "$3" ]]; then
113 printf '%s\n' "$3"
114 return 0
116 return 1
119 key_lookup_from_name() {
120 local ids
122 mapfile -t ids < \
123 <("${GPG_PACMAN[@]}" --search-keys --batch --with-colons "$1" 2>/dev/null |
124 awk -F: '$1 == "pub" { print $2 }')
126 # only return success on non-ambiguous lookup
127 case ${#ids[*]} in
129 error "$(gettext "Failed to lookup key by name:") %s" "$name"
130 return 1
133 printf '%s' "${ids[0]}"
134 return 0
137 error "$(gettext "Key name is ambiguous:") %s" "$name"
138 return 1
140 esac
143 generate_master_key() {
144 # Generate the master key, which will be in both pubring and secring
145 "${GPG_PACMAN[@]}" --gen-key --batch <<EOF
146 %echo Generating pacman keyring master key...
147 Key-Type: RSA
148 Key-Length: 2048
149 Key-Usage: sign
150 Name-Real: Pacman Keyring Master Key
151 Name-Email: pacman@localhost
152 Expire-Date: 0
153 %commit
154 %echo Done
158 secret_keys_available() {
159 "${GPG_PACMAN[@]}" -K --with-colons | wc -l
162 # Adds the given gpg.conf option if it is not present in the file.
163 # Note that if we find it commented out, we won't add the option.
164 # args: $1 conffile, $2 option-name, $3 (optional) option-value
165 add_gpg_conf_option() {
166 local conffile=$1; shift
167 # looking for the option 'bare', only leading spaces or # chars allowed,
168 # followed by at least one space and any other text or the end of line.
169 if ! grep -q "^[[:space:]#]*$1\([[:space:]].*\)*$" "$conffile" &>/dev/null; then
170 printf '%s\n' "$*" >> "$conffile"
174 check_keyids_exist() {
175 local ret=0
176 for key in "$@"; do
177 # Verify if the key exists in pacman's keyring
178 if ! "${GPG_PACMAN[@]}" --list-keys "$key" &>/dev/null ; then
179 error "$(gettext "The key identified by %s could not be found locally.")" "$key"
180 ret=1
182 done
183 if (( ret )); then
184 exit 1
188 initialize() {
189 local conffile keyserv
190 # Check for simple existence rather than for a directory as someone
191 # may want to use a symlink here
192 [[ -e ${PACMAN_KEYRING_DIR} ]] || mkdir -p -m 755 "${PACMAN_KEYRING_DIR}"
194 # keyring files
195 [[ -f ${PACMAN_KEYRING_DIR}/pubring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/pubring.gpg
196 [[ -f ${PACMAN_KEYRING_DIR}/secring.gpg ]] || touch ${PACMAN_KEYRING_DIR}/secring.gpg
197 [[ -f ${PACMAN_KEYRING_DIR}/trustdb.gpg ]] || "${GPG_PACMAN[@]}" --update-trustdb
198 chmod 644 ${PACMAN_KEYRING_DIR}/{pubring,trustdb}.gpg
199 chmod 600 ${PACMAN_KEYRING_DIR}/secring.gpg
201 # gpg.conf
202 conffile="${PACMAN_KEYRING_DIR}/gpg.conf"
203 [[ -f $conffile ]] || touch "$conffile"
204 chmod 644 "$conffile"
205 add_gpg_conf_option "$conffile" 'no-greeting'
206 add_gpg_conf_option "$conffile" 'no-permission-warning'
207 add_gpg_conf_option "$conffile" 'lock-never'
208 keyserv=${KEYSERVER:-$DEFAULT_KEYSERVER}
209 add_gpg_conf_option "$conffile" 'keyserver' "$keyserv"
210 add_gpg_conf_option "$conffile" 'keyserver-options' 'timeout=10'
212 # set up a private signing key (if none available)
213 if [[ $(secret_keys_available) -lt 1 ]]; then
214 generate_master_key
215 UPDATEDB=1
219 check_keyring() {
220 if [[ ! -r ${PACMAN_KEYRING_DIR}/pubring.gpg || \
221 ! -r ${PACMAN_KEYRING_DIR}/trustdb.gpg ]]; then
222 error "$(gettext "You do not have sufficient permissions to read the %s keyring.")" "pacman"
223 msg "$(gettext "Use '%s' to correct the keyring permissions.")" "pacman-key --init"
224 exit 1
227 if (( (EXPORT || FINGER || LIST || VERIFY) && EUID != 0 )); then
228 if ! grep -q "^[[:space:]]*lock-never[[:space:]]*$" ${PACMAN_KEYRING_DIR}/gpg.conf &>/dev/null; then
229 error "$(gettext "You do not have sufficient permissions to run this command.")"
230 msg "$(gettext "Use '%s' to correct the keyring permissions.")" "pacman-key --init"
231 exit 1
235 if (( LSIGNKEY )); then
236 if [[ $(secret_keys_available) -lt 1 ]]; then
237 error "$(gettext "There is no secret key available to sign with.")"
238 msg "$(gettext "Use '%s' to generate a default secret key.")" "pacman-key --init"
239 exit 1
244 populate_keyring() {
245 local KEYRING_IMPORT_DIR='@pkgdatadir@/keyrings'
247 local keyring KEYRINGIDS=("$@")
248 local ret=0
249 if (( ${#KEYRINGIDS[*]} == 0 )); then
250 # get list of all available keyrings
251 shopt -s nullglob
252 KEYRINGIDS=("$KEYRING_IMPORT_DIR"/*.gpg)
253 shopt -u nullglob
254 KEYRINGIDS=("${KEYRINGIDS[@]##*/}")
255 KEYRINGIDS=("${KEYRINGIDS[@]%.gpg}")
256 if (( ${#KEYRINGIDS[*]} == 0 )); then
257 error "$(gettext "No keyring files exist in %s.")" "$KEYRING_IMPORT_DIR"
258 ret=1
260 else
261 # verify listed keyrings exist
262 for keyring in "${KEYRINGIDS[@]}"; do
263 if [[ ! -f "$KEYRING_IMPORT_DIR/$keyring.gpg" ]]; then
264 error "$(gettext "The keyring file %s does not exist.")" "$KEYRING_IMPORT_DIR/$keyring.gpg"
265 ret=1
267 done
270 if (( ret )); then
271 exit 1
274 # Variable used for iterating on keyrings
275 local keys key_id
277 # Add keys from requested keyrings
278 for keyring in "${KEYRINGIDS[@]}"; do
279 msg "$(gettext "Appending keys from %s.gpg...")" "$keyring"
280 "${GPG_PACMAN[@]}" --import "${KEYRING_IMPORT_DIR}/${keyring}.gpg"
281 done
283 # Read the trusted key IDs to an array. Because this is an ownertrust
284 # file, we know we have the full 40 hex digit fingerprint values.
285 # Format of ownertrust dump file:
286 # 40CHARFINGERPRINTXXXXXXXXXXXXXXXXXXXXXXX:6:
287 # 40CHARFINGERPRINTXXXXXXXXXXXXXXXXXXXXXXX:5:
288 local -A trusted_ids
289 for keyring in "${KEYRINGIDS[@]}"; do
290 if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then
291 while IFS=: read key_id _; do
292 # skip blank lines, comments; these are valid in this file
293 [[ -z $key_id || ${key_id:0:1} = \# ]] && continue
295 # Mark this key to be lsigned
296 trusted_ids[$key_id]=$keyring
297 done < "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
299 done
301 if (( ${#trusted_ids[@]} > 0 )); then
302 msg "$(gettext "Locally signing trusted keys in keyring...")"
303 for key_id in "${!trusted_ids[@]}"; do
304 msg2 "$(gettext "Locally signing key %s...")" "${key_id}"
305 lsign_keys "${key_id}"
306 done
307 msg "$(gettext "Importing owner trust values...")"
308 for keyring in "${KEYRINGIDS[@]}"; do
309 if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-trusted" ]]; then
310 "${GPG_PACMAN[@]}" --import-ownertrust "${KEYRING_IMPORT_DIR}/${keyring}-trusted"
312 done
315 # Read the revoked key IDs to an array. The conversion from whatever is
316 # inside the file to key ids is important, because key ids are the only
317 # guarantee of identification for the keys.
318 local -A revoked_ids
319 for keyring in "${KEYRINGIDS[@]}"; do
320 if [[ -s "${KEYRING_IMPORT_DIR}/${keyring}-revoked" ]]; then
321 mapfile -t keys < "${KEYRING_IMPORT_DIR}/${keyring}-revoked"
322 while IFS=: read _ _ _ _ key_id _; do
323 if [[ -n $key_id ]]; then
324 # Mark this key to be disabled
325 revoked_ids[$key_id]="${keyring}"
327 done < <("${GPG_PACMAN[@]}" --quiet --with-colons --list-keys "${keys[@]}" 2>/dev/null)
329 done
331 if (( ${#revoked_ids[@]} > 0 )); then
332 msg "$(gettext "Disabling revoked keys in keyring...")"
333 for key_id in "${!revoked_ids[@]}"; do
334 msg2 "$(gettext "Disabling key %s...")" "${key_id}"
335 printf 'disable\nquit\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --edit-key "${key_id}" 2>/dev/null
336 done
340 add_keys() {
341 if ! "${GPG_PACMAN[@]}" --quiet --batch --import "$@" ; then
342 error "$(gettext "A specified keyfile could not be added to the keyring.")"
343 exit 1
347 delete_keys() {
348 check_keyids_exist "$@"
349 if ! "${GPG_PACMAN[@]}" --quiet --batch --delete-key --yes "$@" ; then
350 error "$(gettext "A specified key could not be removed from the keyring.")"
351 exit 1
355 edit_keys() {
356 check_keyids_exist "$@"
357 local ret=0
358 for key in "$@"; do
359 if ! "${GPG_PACMAN[@]}" --edit-key "$key" ; then
360 error "$(gettext "The key identified by %s could not be edited.")" "$key"
361 ret=1
363 done
364 if (( ret )); then
365 exit 1
369 export_keys() {
370 check_keyids_exist "$@"
371 if ! "${GPG_PACMAN[@]}" --armor --export "$@" ; then
372 error "$(gettext "A specified key could not be exported from the keyring.")"
373 exit 1
377 finger_keys() {
378 check_keyids_exist
379 if ! "${GPG_PACMAN[@]}" --batch --fingerprint "$@" ; then
380 error "$(gettext "The fingerprint of a specified key could not be determined.")"
381 exit 1
385 import_trustdb() {
386 local importdir
387 local ret=0
388 for importdir in "$@"; do
389 if [[ -f "${importdir}/trustdb.gpg" ]]; then
390 gpg --homedir "${importdir}" --export-ownertrust | \
391 "${GPG_PACMAN[@]}" --import-ownertrust -
392 if (( PIPESTATUS )); then
393 error "$(gettext "%s could not be imported.")" "${importdir}/trustdb.gpg"
394 ret=1
396 else
397 error "$(gettext "File %s does not exist and could not be imported.")" "${importdir}/trustdb.gpg"
398 ret=1
400 done
401 if (( ret )); then
402 exit 1
406 import() {
407 local importdir
408 local ret=0
409 for importdir in "$@"; do
410 if [[ -f "${importdir}/pubring.gpg" ]]; then
411 if ! "${GPG_PACMAN[@]}" --quiet --batch --import "${importdir}/pubring.gpg" ; then
412 error "$(gettext "%s could not be imported.")" "${importdir}/pubring.gpg"
413 ret=1
415 else
416 error "$(gettext "File %s does not exist and could not be imported.")" "${importdir}/pubring.gpg"
417 ret=1
419 done
420 if (( ret )); then
421 exit 1
425 list_keys() {
426 check_keyids_exist
427 if ! "${GPG_PACMAN[@]}" --batch --list-keys "$@" ; then
428 error "$(gettext "A specified key could not be listed.")"
429 exit 1
433 list_sigs() {
434 check_keyids_exist
435 if ! "${GPG_PACMAN[@]}" --batch --list-sigs "$@" ; then
436 error "$(gettext "A specified signature could not be listed.")"
437 exit 1
441 lsign_keys() {
442 check_keyids_exist
443 # we cannot use --yes here as gpg would still ask for confirmation if a key has more than one uid
444 printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "$@" 2>/dev/null
445 if (( PIPESTATUS[1] )); then
446 error "$(gettext "A specified key could not be locally signed.")"
447 exit 1
451 receive_keys() {
452 local name id keyids
454 # if the key is not a hex ID, do a lookup
455 for name; do
456 if [[ $name = ?(0x)+([0-9a-fA-F]) ]]; then
457 keyids+=("$name")
458 else
459 if id=$(key_lookup_from_name "$name"); then
460 keyids+=("$id")
463 done
465 (( ${#keyids[*]} > 0 )) || exit 1
467 if ! "${GPG_PACMAN[@]}" --recv-keys "${keyids[@]}" ; then
468 error "$(gettext "Remote key not fetched correctly from keyserver.")"
469 exit 1
473 refresh_keys() {
474 check_keyids_exist "$@"
475 if ! "${GPG_PACMAN[@]}" --refresh-keys "$@" ; then
476 error "$(gettext "A specified local key could not be updated from a keyserver.")"
477 exit 1
481 verify_sig() {
482 local ret=0
483 for sig; do
484 msg "Checking %s ..." "$sig"
485 if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE 'TRUST_(FULLY|ULTIMATE)'; then
486 error "$(gettext "The signature identified by %s could not be verified.")" "$sig"
487 ret=1
489 done
490 exit $ret
493 updatedb() {
494 msg "$(gettext "Updating trust database...")"
495 if ! "${GPG_PACMAN[@]}" --batch --check-trustdb ; then
496 error "$(gettext "Trust database could not be updated.")"
497 exit 1
501 # PROGRAM START
502 if ! type gettext &>/dev/null; then
503 gettext() {
504 echo "$@"
508 OPT_SHORT="adefhlruvV"
509 OPT_LONG=('add' 'config:' 'delete' 'edit-key' 'export' 'finger' 'gpgdir:'
510 'help' 'import' 'import-trustdb' 'init' 'keyserver:' 'list-keys' 'list-sigs'
511 'lsign-key' 'populate' 'recv-keys' 'refresh-keys' 'updatedb'
512 'verify' 'version')
513 if ! parseopts "$OPT_SHORT" "${OPT_LONG[@]}" -- "$@"; then
514 exit 1 # E_INVALID_OPTION;
516 set -- "${OPTRET[@]}"
517 unset OPT_SHORT OPT_LONG OPTRET
519 if [[ $1 == "--" ]]; then
520 usage;
521 exit 0;
524 while (( $# )); do
525 case $1 in
526 -a|--add) ADD=1 UPDATEDB=1 ;;
527 --config) shift; CONFIG=$1 ;;
528 -d|--delete) DELETE=1 UPDATEDB=1 ;;
529 --edit-key) EDITKEY=1 UPDATEDB=1 ;;
530 -e|--export) EXPORT=1 ;;
531 -f|--finger) FINGER=1 ;;
532 --gpgdir) shift; PACMAN_KEYRING_DIR=$1 ;;
533 --import) IMPORT=1 UPDATEDB=1 ;;
534 --import-trustdb) IMPORT_TRUSTDB=1 UPDATEDB=1 ;;
535 --init) INIT=1 ;;
536 --keyserver) shift; KEYSERVER=$1 ;;
537 -l|--list-keys) LISTKEYS=1 ;;
538 --list-sigs) LISTSIGS=1 ;;
539 --lsign-key) LSIGNKEY=1 UPDATEDB=1 ;;
540 --populate) POPULATE=1 UPDATEDB=1 ;;
541 -r|--recv-keys) RECEIVE=1 UPDATEDB=1 ;;
542 --refresh-keys) REFRESH=1 ;;
543 -u|--updatedb) UPDATEDB=1 ;;
544 -v|--verify) VERIFY=1 ;;
546 -h|--help) usage; exit 0 ;;
547 -V|--version) version; exit 0 ;;
549 --) shift; break 2 ;;
550 esac
551 shift
552 done
555 if ! type -p gpg >/dev/null; then
556 error "$(gettext "Cannot find the %s binary required for all %s operations.")" "gpg" "pacman-key"
557 exit 1
560 if (( (ADD || DELETE || EDITKEY || IMPORT || IMPORT_TRUSTDB || INIT || LSIGNKEY || POPULATE || RECEIVE || REFRESH || UPDATEDB) && EUID != 0 )); then
561 error "$(gettext "%s needs to be run as root for this operation.")" "pacman-key"
562 exit 1
565 CONFIG=${CONFIG:-@sysconfdir@/pacman.conf}
566 if [[ ! -r "${CONFIG}" ]]; then
567 error "$(gettext "%s configuration file '%s' not found.")" "pacman" "$CONFIG"
568 exit 1
571 # if PACMAN_KEYRING_DIR isn't assigned, try to get it from the config
572 # file, falling back on a hard default
573 PACMAN_KEYRING_DIR=${PACMAN_KEYRING_DIR:-$(get_from "$CONFIG" "GPGDir" "@sysconfdir@/pacman.d/gnupg")}
575 GPG_PACMAN=(gpg --homedir "${PACMAN_KEYRING_DIR}" --no-permission-warning)
576 if [[ -n ${KEYSERVER} ]]; then
577 GPG_PACMAN+=(--keyserver "${KEYSERVER}")
580 # check only a single operation has been given
581 # don't include UPDATEDB in here as other opts can induce it
582 numopt=$(( ADD + DELETE + EDITKEY + EXPORT + FINGER + IMPORT + IMPORT_TRUSTDB +
583 INIT + LISTKEYS + LISTSIGS + LSIGNKEY + POPULATE + RECEIVE + REFRESH + VERIFY ))
585 case $numopt in
587 if (( ! UPDATEDB )); then
588 error "$(gettext "no operation specified (use -h for help)")"
589 exit 1
592 [!1])
593 error "$(gettext "Multiple operations specified.")"
594 msg "$(gettext "Please run %s with each operation separately.")" "pacman-key"
595 exit 1
597 esac
599 # check for targets where needed
600 if (( (ADD || DELETE || EDIT || IMPORT || IMPORT_TRUSTDB ||
601 LSIGNKEY || RECEIVE || VERIFY) && $# == 0 )); then
602 error "$(gettext "No targets specified")"
603 exit 1
606 (( ! INIT )) && check_keyring
608 (( ADD )) && add_keys "$@"
609 (( DELETE )) && delete_keys "$@"
610 (( EDITKEY )) && edit_keys "$@"
611 (( EXPORT )) && export_keys "$@"
612 (( FINGER )) && finger_keys "$@"
613 (( IMPORT )) && import "$@"
614 (( IMPORT_TRUSTDB)) && import_trustdb "$@"
615 (( INIT )) && initialize
616 (( LISTKEYS )) && list_keys "$@"
617 (( LISTSIGS )) && list_sigs "$@"
618 (( LSIGNKEY )) && lsign_keys "$@"
619 (( POPULATE )) && populate_keyring "$@"
620 (( RECEIVE )) && receive_keys "$@"
621 (( REFRESH )) && refresh_keys "$@"
622 (( VERIFY )) && verify_sig "$@"
624 (( UPDATEDB )) && updatedb
626 exit 0
628 # vim: set ts=2 sw=2 noet: