1 |
commit: dcdb15b823c6ff9a2862a8d1ee57054926148f2e |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Tue Jan 3 04:48:17 2023 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Jan 3 04:48:17 2023 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcdb15b8 |
7 |
|
8 |
sec-keys/openpgp-keys-gentoo-developers: add 20230102 |
9 |
|
10 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
11 |
|
12 |
sec-keys/openpgp-keys-gentoo-developers/Manifest | 1 + |
13 |
.../openpgp-keys-gentoo-developers-20230102.ebuild | 231 +++++++++++++++++++++ |
14 |
2 files changed, 232 insertions(+) |
15 |
|
16 |
diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest |
17 |
index cb0bd0ce423f..9f7faf577d6a 100644 |
18 |
--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest |
19 |
+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest |
20 |
@@ -1,2 +1,3 @@ |
21 |
DIST openpgp-keys-gentoo-developers-20220830-active-devs.gpg 3234718 BLAKE2B 80753222b4d2febf0d8568503d646e0258410010eefa35ea3914f5979ea05f12634676212df392f5ddbb153899cd7452ee89d412bea9de8e67abf93243444fa8 SHA512 2676fe541cdad8755f745ebd24badd7b4193bdff71f478f2442fea84e1e07b060564d437ce642b01a37ba8086a8177a84c32abf3dd794be8e587e1740bed2af2 |
22 |
DIST openpgp-keys-gentoo-developers-20221031-active-devs.gpg 3275029 BLAKE2B 1d238a0d18760599c8d43fd6e45091acb88e6569226a7740762ac3f94cc9473650c66c9815c3e5cca12f196b1aa306776a67b836e72eb65aac6e80dfdaa0a78d SHA512 25bc32b8e724087345a7beb0f17c5229622436671102296b234e0a938b14e4cc341dab89b66e2f78d42432ecc3ac607e18647a820d3c5ab85b92fd62b1ade058 |
23 |
+DIST openpgp-keys-gentoo-developers-20230102-active-devs.gpg 3059326 BLAKE2B 5806b9680228aaa83a1f668845b01741591e8b235a6fe7e808a73d652393d42dd4ebe4b378063cb0a5f12c8510b1accf358d407175717fc130894b0d497d10f2 SHA512 8002316b16c9b7b294d349d25709ef5dbce055b2865a901b16dd41daa0e27c0e1fcdff633f204a31ba7a25d6ad326a803209dbefd9eadacb7098975b144defd5 |
24 |
|
25 |
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230102.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230102.ebuild |
26 |
new file mode 100644 |
27 |
index 000000000000..2d106e87ca20 |
28 |
--- /dev/null |
29 |
+++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230102.ebuild |
30 |
@@ -0,0 +1,231 @@ |
31 |
+# Copyright 1999-2023 Gentoo Authors |
32 |
+# Distributed under the terms of the GNU General Public License v2 |
33 |
+ |
34 |
+EAPI=8 |
35 |
+ |
36 |
+PYTHON_COMPAT=( python3_{9..11} ) |
37 |
+inherit edo python-any-r1 |
38 |
+ |
39 |
+DESCRIPTION="Gentoo Authority Keys (GLEP 79)" |
40 |
+HOMEPAGE="https://www.gentoo.org/downloads/signatures/" |
41 |
+if [[ ${PV} == 9999* ]] ; then |
42 |
+ PROPERTIES="live" |
43 |
+ |
44 |
+ BDEPEND="net-misc/curl" |
45 |
+else |
46 |
+ SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" |
47 |
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86" |
48 |
+fi |
49 |
+ |
50 |
+S="${WORKDIR}" |
51 |
+ |
52 |
+LICENSE="public-domain" |
53 |
+SLOT="0" |
54 |
+IUSE="test" |
55 |
+RESTRICT="!test? ( test )" |
56 |
+ |
57 |
+BDEPEND+=" |
58 |
+ $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') |
59 |
+ sec-keys/openpgp-keys-gentoo-auth |
60 |
+ test? ( |
61 |
+ app-crypt/gnupg |
62 |
+ ) |
63 |
+" |
64 |
+ |
65 |
+python_check_deps() { |
66 |
+ python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" |
67 |
+} |
68 |
+ |
69 |
+src_unpack() { |
70 |
+ if [[ ${PV} == 9999* ]] ; then |
71 |
+ curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die |
72 |
+ else |
73 |
+ default |
74 |
+ fi |
75 |
+} |
76 |
+ |
77 |
+src_compile() { |
78 |
+ export GNUPGHOME="${T}"/.gnupg |
79 |
+ |
80 |
+ get_gpg_keyring_dir() { |
81 |
+ if [[ ${PV} == 9999* ]] ; then |
82 |
+ echo "${WORKDIR}" |
83 |
+ else |
84 |
+ echo "${DISTDIR}" |
85 |
+ fi |
86 |
+ } |
87 |
+ |
88 |
+ local mygpgargs=( |
89 |
+ --no-autostart |
90 |
+ --no-default-keyring |
91 |
+ --homedir "${GNUPGHOME}" |
92 |
+ ) |
93 |
+ |
94 |
+ # From verify-sig.eclass: |
95 |
+ # "GPG upstream knows better than to follow the spec, so we can't |
96 |
+ # override this directory. However, there is a clean fallback |
97 |
+ # to GNUPGHOME." |
98 |
+ addpredict /run/user |
99 |
+ |
100 |
+ mkdir "${GNUPGHOME}" || die |
101 |
+ chmod 700 "${GNUPGHOME}" || die |
102 |
+ |
103 |
+ # Convert the binary keyring into an armored one so we can process it |
104 |
+ edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg |
105 |
+ edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc |
106 |
+ |
107 |
+ # Now strip out the keys which are expired and/or missing a signature |
108 |
+ # from our L2 developer authority key |
109 |
+ edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ |
110 |
+ "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ |
111 |
+ "${WORKDIR}"/gentoo-developers.asc \ |
112 |
+ "${WORKDIR}"/gentoo-developers-sanitised.asc |
113 |
+} |
114 |
+ |
115 |
+src_test() { |
116 |
+ export GNUPGHOME="${T}"/tests/.gnupg |
117 |
+ |
118 |
+ local mygpgargs=( |
119 |
+ # We don't have --no-autostart here because we need |
120 |
+ # to let it spawn an agent for the key generation. |
121 |
+ --no-default-keyring |
122 |
+ --homedir "${GNUPGHOME}" |
123 |
+ ) |
124 |
+ |
125 |
+ # From verify-sig.eclass: |
126 |
+ # "GPG upstream knows better than to follow the spec, so we can't |
127 |
+ # override this directory. However, there is a clean fallback |
128 |
+ # to GNUPGHOME." |
129 |
+ addpredict /run/user |
130 |
+ |
131 |
+ # Check each of the keys to verify they're trusted by |
132 |
+ # the L2 developer key. |
133 |
+ mkdir -p "${GNUPGHOME}" || die |
134 |
+ chmod 700 "${GNUPGHOME}" || die |
135 |
+ cd "${T}"/tests || die |
136 |
+ |
137 |
+ # First, grab the L1 key, and mark it as ultimately trusted. |
138 |
+ edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc |
139 |
+ edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt |
140 |
+ |
141 |
+ # Generate a temporary key which isn't signed by anything to check |
142 |
+ # whether we're detecting unexpected keys. |
143 |
+ # |
144 |
+ # The test is whether this appears in the sanitised keyring we |
145 |
+ # produce in src_compile (it should not be in there). |
146 |
+ # |
147 |
+ # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html |
148 |
+ edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF |
149 |
+ %echo Generating temporary key for testing... |
150 |
+ |
151 |
+ %no-protection |
152 |
+ %transient-key |
153 |
+ %pubring ${P}-ebuild-test-key.asc |
154 |
+ |
155 |
+ Key-Type: 1 |
156 |
+ Key-Length: 2048 |
157 |
+ Subkey-Type: 1 |
158 |
+ Subkey-Length: 2048 |
159 |
+ Name-Real: Larry The Cow |
160 |
+ Name-Email: larry@×××××××.com |
161 |
+ Expire-Date: 0 |
162 |
+ Handle: ${P}-ebuild-test-key |
163 |
+ |
164 |
+ %commit |
165 |
+ %echo Temporary key generated! |
166 |
+ EOF |
167 |
+ |
168 |
+ # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring |
169 |
+ edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc |
170 |
+ |
171 |
+ # Sign a tiny file with the to-be-injected key for testing rejection below |
172 |
+ echo "Hello world!" > "${T}"/tests/signme || die |
173 |
+ edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@×××××××.com>" --sign "${T}"/tests/signme || die |
174 |
+ |
175 |
+ edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc |
176 |
+ |
177 |
+ # keyring-mangler.py should now produce a keyring *without* it |
178 |
+ edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ |
179 |
+ "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ |
180 |
+ "${T}"/tests/tainted-keyring.asc \ |
181 |
+ "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log |
182 |
+ assert "Key mangling in tests failed?" |
183 |
+ |
184 |
+ # Check the log to verify the injected key got detected |
185 |
+ grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" |
186 |
+ |
187 |
+ # gnupg doesn't have an easy way for us to actually just.. ask |
188 |
+ # if a key is known via WoT. So, sign a file using the key |
189 |
+ # we just made, and then try to gpg --verify it, and check exit code. |
190 |
+ # |
191 |
+ # Let's now double check by seeing if a file signed by the injected key |
192 |
+ # is rejected. |
193 |
+ if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then |
194 |
+ die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" |
195 |
+ fi |
196 |
+ |
197 |
+ # Bonus lame sanity check |
198 |
+ edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log |
199 |
+ assert "trustdb call failed!" |
200 |
+ |
201 |
+ check_trust_levels() { |
202 |
+ local mode=${1} |
203 |
+ |
204 |
+ while IFS= read -r line; do |
205 |
+ # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u |
206 |
+ # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u |
207 |
+ if [[ ${line} == *depth* ]] ; then |
208 |
+ depth=$(echo ${line} | grep -Po "depth: [0-9]") |
209 |
+ trust=$(echo ${line} | grep -Po "trust:.*") |
210 |
+ |
211 |
+ trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") |
212 |
+ [[ ${trust_uncalculated} == 0 ]] || ${mode} |
213 |
+ |
214 |
+ trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") |
215 |
+ [[ ${trust_insufficient} == 0 ]] || ${mode} |
216 |
+ |
217 |
+ trust_never=$(echo ${trust} | grep -Po "[0-9]n") |
218 |
+ [[ ${trust_never} == 0 ]] || ${mode} |
219 |
+ |
220 |
+ trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") |
221 |
+ [[ ${trust_marginal} == 0 ]] || ${mode} |
222 |
+ |
223 |
+ trust_full=$(echo ${trust} | grep -Po "[0-9]f") |
224 |
+ [[ ${trust_full} != 0 ]] || ${mode} |
225 |
+ |
226 |
+ trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") |
227 |
+ [[ ${trust_ultimate} == 1 ]] || ${mode} |
228 |
+ |
229 |
+ echo "${trust_uncalculated}, ${trust_insufficient}" |
230 |
+ fi |
231 |
+ done < "${T}"/tests/trustdb.log |
232 |
+ } |
233 |
+ |
234 |
+ # First, check with the bad key still in the test keyring. |
235 |
+ # This is supposed to fail, so we want it to return 1 |
236 |
+ check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" |
237 |
+ |
238 |
+ # Now check without the bad key in the test keyring. |
239 |
+ # This one should pass. |
240 |
+ # |
241 |
+ # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) |
242 |
+ keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@×××××××.com>" \ |
243 |
+ | grep "^fpr" \ |
244 |
+ | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') |
245 |
+ |
246 |
+ for key in ${keys[@]} ; do |
247 |
+ nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} |
248 |
+ done |
249 |
+ |
250 |
+ edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@×××××××.com>" |
251 |
+ check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" |
252 |
+ |
253 |
+ gpgconf --kill gpg-agent || die |
254 |
+} |
255 |
+ |
256 |
+src_install() { |
257 |
+ insinto /usr/share/openpgp-keys |
258 |
+ newins gentoo-developers-sanitised.asc gentoo-developers.asc |
259 |
+ |
260 |
+ # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? |
261 |
+} |