[gentoo-commits] repo/gentoo:master commit in: sec-keys/openpgp-keys-gentoo-developers/ - gentoo-commits

From:	Sam James <sam@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: sec-keys/openpgp-keys-gentoo-developers/
Date:	Tue, 03 Jan 2023 04:49:03
Message-Id:	`1672721297.dcdb15b823c6ff9a2862a8d1ee57054926148f2e.sam@gentoo`

1

commit:     dcdb15b823c6ff9a2862a8d1ee57054926148f2e

2

Author:     Sam James <sam <AT> gentoo <DOT> org>

3

AuthorDate: Tue Jan  3 04:48:17 2023 +0000

4

Commit:     Sam James <sam <AT> gentoo <DOT> org>

5

CommitDate: Tue Jan  3 04:48:17 2023 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcdb15b8

7

8

sec-keys/openpgp-keys-gentoo-developers: add 20230102

9

10

Signed-off-by: Sam James <sam <AT> gentoo.org>

11

12

 sec-keys/openpgp-keys-gentoo-developers/Manifest   |   1 +

13

 .../openpgp-keys-gentoo-developers-20230102.ebuild | 231 +++++++++++++++++++++

14

 2 files changed, 232 insertions(+)

15

16

diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest

17

index cb0bd0ce423f..9f7faf577d6a 100644

18

--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest

19

+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest

20

@@ -1,2 +1,3 @@

21

 DIST openpgp-keys-gentoo-developers-20220830-active-devs.gpg 3234718 BLAKE2B 80753222b4d2febf0d8568503d646e0258410010eefa35ea3914f5979ea05f12634676212df392f5ddbb153899cd7452ee89d412bea9de8e67abf93243444fa8 SHA512 2676fe541cdad8755f745ebd24badd7b4193bdff71f478f2442fea84e1e07b060564d437ce642b01a37ba8086a8177a84c32abf3dd794be8e587e1740bed2af2

22

 DIST openpgp-keys-gentoo-developers-20221031-active-devs.gpg 3275029 BLAKE2B 1d238a0d18760599c8d43fd6e45091acb88e6569226a7740762ac3f94cc9473650c66c9815c3e5cca12f196b1aa306776a67b836e72eb65aac6e80dfdaa0a78d SHA512 25bc32b8e724087345a7beb0f17c5229622436671102296b234e0a938b14e4cc341dab89b66e2f78d42432ecc3ac607e18647a820d3c5ab85b92fd62b1ade058

23

+DIST openpgp-keys-gentoo-developers-20230102-active-devs.gpg 3059326 BLAKE2B 5806b9680228aaa83a1f668845b01741591e8b235a6fe7e808a73d652393d42dd4ebe4b378063cb0a5f12c8510b1accf358d407175717fc130894b0d497d10f2 SHA512 8002316b16c9b7b294d349d25709ef5dbce055b2865a901b16dd41daa0e27c0e1fcdff633f204a31ba7a25d6ad326a803209dbefd9eadacb7098975b144defd5

24

25

diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230102.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230102.ebuild

26

new file mode 100644

27

index 000000000000..2d106e87ca20

28

--- /dev/null

29

+++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230102.ebuild

30

@@ -0,0 +1,231 @@

31

+# Copyright 1999-2023 Gentoo Authors

32

+# Distributed under the terms of the GNU General Public License v2

33

+

34

+EAPI=8

35

+

36

+PYTHON_COMPAT=( python3_{9..11} )

37

+inherit edo python-any-r1

38

+

39

+DESCRIPTION="Gentoo Authority Keys (GLEP 79)"

40

+HOMEPAGE="https://www.gentoo.org/downloads/signatures/"

41

+if [[ ${PV} == 9999* ]] ; then

42

+	PROPERTIES="live"

43

+

44

+	BDEPEND="net-misc/curl"

45

+else

46

+	SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"

47

+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86"

48

+fi

49

+

50

+S="${WORKDIR}"

51

+

52

+LICENSE="public-domain"

53

+SLOT="0"

54

+IUSE="test"

55

+RESTRICT="!test? ( test )"

56

+

57

+BDEPEND+="

58

+	$(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')

59

+	sec-keys/openpgp-keys-gentoo-auth

60

+	test? (

61

+		app-crypt/gnupg

62

+	)

63

+"

64

+

65

+python_check_deps() {

66

+	python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"

67

+}

68

+

69

+src_unpack() {

70

+	if [[ ${PV} == 9999* ]] ; then

71

+		curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die

72

+	else

73

+		default

74

+	fi

75

+}

76

+

77

+src_compile() {

78

+	export GNUPGHOME="${T}"/.gnupg

79

+

80

+	get_gpg_keyring_dir() {

81

+		if [[ ${PV} == 9999* ]] ; then

82

+			echo "${WORKDIR}"

83

+		else

84

+			echo "${DISTDIR}"

85

+		fi

86

+	}

87

+

88

+	local mygpgargs=(

89

+		--no-autostart

90

+		--no-default-keyring

91

+		--homedir "${GNUPGHOME}"

92

+	)

93

+

94

+	# From verify-sig.eclass:

95

+	# "GPG upstream knows better than to follow the spec, so we can't

96

+	# override this directory.  However, there is a clean fallback

97

+	# to GNUPGHOME."

98

+	addpredict /run/user

99

+

100

+	mkdir "${GNUPGHOME}" || die

101

+	chmod 700 "${GNUPGHOME}" || die

102

+

103

+	# Convert the binary keyring into an armored one so we can process it

104

+	edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg

105

+	edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc

106

+

107

+	# Now strip out the keys which are expired and/or missing a signature

108

+	# from our L2 developer authority key

109

+	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \

110

+			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \

111

+			"${WORKDIR}"/gentoo-developers.asc \

112

+			"${WORKDIR}"/gentoo-developers-sanitised.asc

113

+}

114

+

115

+src_test() {

116

+	export GNUPGHOME="${T}"/tests/.gnupg

117

+

118

+	local mygpgargs=(

119

+		# We don't have --no-autostart here because we need

120

+		# to let it spawn an agent for the key generation.

121

+		--no-default-keyring

122

+		--homedir "${GNUPGHOME}"

123

+	)

124

+

125

+	# From verify-sig.eclass:

126

+	# "GPG upstream knows better than to follow the spec, so we can't

127

+	# override this directory.  However, there is a clean fallback

128

+	# to GNUPGHOME."

129

+	addpredict /run/user

130

+

131

+	# Check each of the keys to verify they're trusted by

132

+	# the L2 developer key.

133

+	mkdir -p "${GNUPGHOME}" || die

134

+	chmod 700 "${GNUPGHOME}" || die

135

+	cd "${T}"/tests || die

136

+

137

+	# First, grab the L1 key, and mark it as ultimately trusted.

138

+	edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc

139

+	edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt

140

+

141

+	# Generate a temporary key which isn't signed by anything to check

142

+	# whether we're detecting unexpected keys.

143

+	#

144

+	# The test is whether this appears in the sanitised keyring we

145

+	# produce in src_compile (it should not be in there).

146

+	#

147

+	# https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html

148

+	edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF

149

+		%echo Generating temporary key for testing...

150

+

151

+		%no-protection

152

+		%transient-key

153

+		%pubring ${P}-ebuild-test-key.asc

154

+

155

+		Key-Type: 1

156

+		Key-Length: 2048

157

+		Subkey-Type: 1

158

+		Subkey-Length: 2048

159

+		Name-Real: Larry The Cow

160

+		Name-Email: larry@×××××××.com

161

+		Expire-Date: 0

162

+		Handle: ${P}-ebuild-test-key

163

+

164

+		%commit

165

+		%echo Temporary key generated!

166

+	EOF

167

+

168

+	# Import the new injected key that shouldn't be signed by anything into a temporary testing keyring

169

+	edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc

170

+

171

+	# Sign a tiny file with the to-be-injected key for testing rejection below

172

+	echo "Hello world!" > "${T}"/tests/signme || die

173

+	edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@×××××××.com>" --sign "${T}"/tests/signme || die

174

+

175

+	edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc

176

+

177

+	# keyring-mangler.py should now produce a keyring *without* it

178

+	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \

179

+			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \

180

+			"${T}"/tests/tainted-keyring.asc \

181

+			"${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log

182

+	assert "Key mangling in tests failed?"

183

+

184

+	# Check the log to verify the injected key got detected

185

+	grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"

186

+

187

+	# gnupg doesn't have an easy way for us to actually just.. ask

188

+	# if a key is known via WoT. So, sign a file using the key

189

+	# we just made, and then try to gpg --verify it, and check exit code.

190

+	#

191

+	# Let's now double check by seeing if a file signed by the injected key

192

+	# is rejected.

193

+	if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then

194

+		die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"

195

+	fi

196

+

197

+	# Bonus lame sanity check

198

+	edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log

199

+	assert "trustdb call failed!"

200

+

201

+	check_trust_levels() {

202

+		local mode=${1}

203

+

204

+		while IFS= read -r line; do

205

+			# gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u

206

+			# gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u

207

+			if [[ ${line} == *depth* ]] ; then

208

+				depth=$(echo ${line} | grep -Po "depth: [0-9]")

209

+				trust=$(echo ${line} | grep -Po "trust:.*")

210

+

211

+				trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")

212

+				[[ ${trust_uncalculated} == 0 ]] || ${mode}

213

+

214

+				trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")

215

+				[[ ${trust_insufficient} == 0 ]] || ${mode}

216

+

217

+				trust_never=$(echo ${trust} | grep -Po "[0-9]n")

218

+				[[ ${trust_never} == 0 ]] || ${mode}

219

+

220

+				trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")

221

+				[[ ${trust_marginal} == 0 ]] || ${mode}

222

+

223

+				trust_full=$(echo ${trust} | grep -Po "[0-9]f")

224

+				[[ ${trust_full} != 0 ]] || ${mode}

225

+

226

+				trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")

227

+				[[ ${trust_ultimate} == 1 ]] || ${mode}

228

+

229

+				echo "${trust_uncalculated}, ${trust_insufficient}"

230

+			fi

231

+		done < "${T}"/tests/trustdb.log

232

+	}

233

+

234

+	# First, check with the bad key still in the test keyring.

235

+	# This is supposed to fail, so we want it to return 1

236

+	check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"

237

+

238

+	# Now check without the bad key in the test keyring.

239

+	# This one should pass.

240

+	#

241

+	# Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)

242

+	keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@×××××××.com>" \

243

+		| grep "^fpr" \

244

+		| sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')

245

+

246

+	for key in ${keys[@]} ; do

247

+		nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}

248

+	done

249

+

250

+	edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@×××××××.com>"

251

+	check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"

252

+

253

+	gpgconf --kill gpg-agent || die

254

+}

255

+

256

+src_install() {

257

+	insinto /usr/share/openpgp-keys

258

+	newins gentoo-developers-sanitised.asc gentoo-developers.asc

259

+

260

+	# TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?

261

+}

1	commit: dcdb15b823c6ff9a2862a8d1ee57054926148f2e
2	Author: Sam James <sam <AT> gentoo <DOT> org>
3	AuthorDate: Tue Jan 3 04:48:17 2023 +0000
4	Commit: Sam James <sam <AT> gentoo <DOT> org>
5	CommitDate: Tue Jan 3 04:48:17 2023 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dcdb15b8
7
8	sec-keys/openpgp-keys-gentoo-developers: add 20230102
9
10	Signed-off-by: Sam James <sam <AT> gentoo.org>
11
12	sec-keys/openpgp-keys-gentoo-developers/Manifest \| 1 +
13	.../openpgp-keys-gentoo-developers-20230102.ebuild \| 231 +++++++++++++++++++++
14	2 files changed, 232 insertions(+)
15
16	diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest
17	index cb0bd0ce423f..9f7faf577d6a 100644
18	--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest
19	+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest
20	@@ -1,2 +1,3 @@
21	DIST openpgp-keys-gentoo-developers-20220830-active-devs.gpg 3234718 BLAKE2B 80753222b4d2febf0d8568503d646e0258410010eefa35ea3914f5979ea05f12634676212df392f5ddbb153899cd7452ee89d412bea9de8e67abf93243444fa8 SHA512 2676fe541cdad8755f745ebd24badd7b4193bdff71f478f2442fea84e1e07b060564d437ce642b01a37ba8086a8177a84c32abf3dd794be8e587e1740bed2af2
22	DIST openpgp-keys-gentoo-developers-20221031-active-devs.gpg 3275029 BLAKE2B 1d238a0d18760599c8d43fd6e45091acb88e6569226a7740762ac3f94cc9473650c66c9815c3e5cca12f196b1aa306776a67b836e72eb65aac6e80dfdaa0a78d SHA512 25bc32b8e724087345a7beb0f17c5229622436671102296b234e0a938b14e4cc341dab89b66e2f78d42432ecc3ac607e18647a820d3c5ab85b92fd62b1ade058
23	+DIST openpgp-keys-gentoo-developers-20230102-active-devs.gpg 3059326 BLAKE2B 5806b9680228aaa83a1f668845b01741591e8b235a6fe7e808a73d652393d42dd4ebe4b378063cb0a5f12c8510b1accf358d407175717fc130894b0d497d10f2 SHA512 8002316b16c9b7b294d349d25709ef5dbce055b2865a901b16dd41daa0e27c0e1fcdff633f204a31ba7a25d6ad326a803209dbefd9eadacb7098975b144defd5
24
25	diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230102.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230102.ebuild
26	new file mode 100644
27	index 000000000000..2d106e87ca20
28	--- /dev/null
29	+++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230102.ebuild
30	@@ -0,0 +1,231 @@
31	+# Copyright 1999-2023 Gentoo Authors
32	+# Distributed under the terms of the GNU General Public License v2
33	+
34	+EAPI=8
35	+
36	+PYTHON_COMPAT=( python3_{9..11} )
37	+inherit edo python-any-r1
38	+
39	+DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
40	+HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
41	+if [[ ${PV} == 9999* ]] ; then
42	+ PROPERTIES="live"
43	+
44	+ BDEPEND="net-misc/curl"
45	+else
46	+ SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
47	+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86"
48	+fi
49	+
50	+S="${WORKDIR}"
51	+
52	+LICENSE="public-domain"
53	+SLOT="0"
54	+IUSE="test"
55	+RESTRICT="!test? ( test )"
56	+
57	+BDEPEND+="
58	+ $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
59	+ sec-keys/openpgp-keys-gentoo-auth
60	+ test? (
61	+ app-crypt/gnupg
62	+ )
63	+"
64	+
65	+python_check_deps() {
66	+ python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
67	+}
68	+
69	+src_unpack() {
70	+ if [[ ${PV} == 9999* ]] ; then
71	+ curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg \|\| die
72	+ else
73	+ default
74	+ fi
75	+}
76	+
77	+src_compile() {
78	+ export GNUPGHOME="${T}"/.gnupg
79	+
80	+ get_gpg_keyring_dir() {
81	+ if [[ ${PV} == 9999* ]] ; then
82	+ echo "${WORKDIR}"
83	+ else
84	+ echo "${DISTDIR}"
85	+ fi
86	+ }
87	+
88	+ local mygpgargs=(
89	+ --no-autostart
90	+ --no-default-keyring
91	+ --homedir "${GNUPGHOME}"
92	+ )
93	+
94	+ # From verify-sig.eclass:
95	+ # "GPG upstream knows better than to follow the spec, so we can't
96	+ # override this directory. However, there is a clean fallback
97	+ # to GNUPGHOME."
98	+ addpredict /run/user
99	+
100	+ mkdir "${GNUPGHOME}" \|\| die
101	+ chmod 700 "${GNUPGHOME}" \|\| die
102	+
103	+ # Convert the binary keyring into an armored one so we can process it
104	+ edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
105	+ edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
106	+
107	+ # Now strip out the keys which are expired and/or missing a signature
108	+ # from our L2 developer authority key
109	+ edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
110	+ "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
111	+ "${WORKDIR}"/gentoo-developers.asc \
112	+ "${WORKDIR}"/gentoo-developers-sanitised.asc
113	+}
114	+
115	+src_test() {
116	+ export GNUPGHOME="${T}"/tests/.gnupg
117	+
118	+ local mygpgargs=(
119	+ # We don't have --no-autostart here because we need
120	+ # to let it spawn an agent for the key generation.
121	+ --no-default-keyring
122	+ --homedir "${GNUPGHOME}"
123	+ )
124	+
125	+ # From verify-sig.eclass:
126	+ # "GPG upstream knows better than to follow the spec, so we can't
127	+ # override this directory. However, there is a clean fallback
128	+ # to GNUPGHOME."
129	+ addpredict /run/user
130	+
131	+ # Check each of the keys to verify they're trusted by
132	+ # the L2 developer key.
133	+ mkdir -p "${GNUPGHOME}" \|\| die
134	+ chmod 700 "${GNUPGHOME}" \|\| die
135	+ cd "${T}"/tests \|\| die
136	+
137	+ # First, grab the L1 key, and mark it as ultimately trusted.
138	+ edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
139	+ edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
140	+
141	+ # Generate a temporary key which isn't signed by anything to check
142	+ # whether we're detecting unexpected keys.
143	+ #
144	+ # The test is whether this appears in the sanitised keyring we
145	+ # produce in src_compile (it should not be in there).
146	+ #
147	+ # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
148	+ edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
149	+ %echo Generating temporary key for testing...
150	+
151	+ %no-protection
152	+ %transient-key
153	+ %pubring ${P}-ebuild-test-key.asc
154	+
155	+ Key-Type: 1
156	+ Key-Length: 2048
157	+ Subkey-Type: 1
158	+ Subkey-Length: 2048
159	+ Name-Real: Larry The Cow
160	+ Name-Email: larry@×××××××.com
161	+ Expire-Date: 0
162	+ Handle: ${P}-ebuild-test-key
163	+
164	+ %commit
165	+ %echo Temporary key generated!
166	+ EOF
167	+
168	+ # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
169	+ edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
170	+
171	+ # Sign a tiny file with the to-be-injected key for testing rejection below
172	+ echo "Hello world!" > "${T}"/tests/signme \|\| die
173	+ edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@×××××××.com>" --sign "${T}"/tests/signme \|\| die
174	+
175	+ edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
176	+
177	+ # keyring-mangler.py should now produce a keyring without it
178	+ edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
179	+ "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
180	+ "${T}"/tests/tainted-keyring.asc \
181	+ "${T}"/tests/gentoo-developers-sanitised.asc \| tee "${T}"/tests/keyring-mangler.log
182	+ assert "Key mangling in tests failed?"
183	+
184	+ # Check the log to verify the injected key got detected
185	+ grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log \|\| die "Did not remove injected key from test keyring!"
186	+
187	+ # gnupg doesn't have an easy way for us to actually just.. ask
188	+ # if a key is known via WoT. So, sign a file using the key
189	+ # we just made, and then try to gpg --verify it, and check exit code.
190	+ #
191	+ # Let's now double check by seeing if a file signed by the injected key
192	+ # is rejected.
193	+ if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
194	+ die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
195	+ fi
196	+
197	+ # Bonus lame sanity check
198	+ edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 \| tee "${T}"/tests/trustdb.log
199	+ assert "trustdb call failed!"
200	+
201	+ check_trust_levels() {
202	+ local mode=${1}
203	+
204	+ while IFS= read -r line; do
205	+ # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
206	+ # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
207	+ if [[ ${line} == depth ]] ; then
208	+ depth=$(echo ${line} \| grep -Po "depth: [0-9]")
209	+ trust=$(echo ${line} \| grep -Po "trust:.*")
210	+
211	+ trust_uncalculated=$(echo ${trust} \| grep -Po "[0-9]-")
212	+ [[ ${trust_uncalculated} == 0 ]] \|\| ${mode}
213	+
214	+ trust_insufficient=$(echo ${trust} \| grep -Po "[0-9]q")
215	+ [[ ${trust_insufficient} == 0 ]] \|\| ${mode}
216	+
217	+ trust_never=$(echo ${trust} \| grep -Po "[0-9]n")
218	+ [[ ${trust_never} == 0 ]] \|\| ${mode}
219	+
220	+ trust_marginal=$(echo ${trust} \| grep -Po "[0-9]m")
221	+ [[ ${trust_marginal} == 0 ]] \|\| ${mode}
222	+
223	+ trust_full=$(echo ${trust} \| grep -Po "[0-9]f")
224	+ [[ ${trust_full} != 0 ]] \|\| ${mode}
225	+
226	+ trust_ultimate=$(echo ${trust} \| grep -Po "[0-9]u")
227	+ [[ ${trust_ultimate} == 1 ]] \|\| ${mode}
228	+
229	+ echo "${trust_uncalculated}, ${trust_insufficient}"
230	+ fi
231	+ done < "${T}"/tests/trustdb.log
232	+ }
233	+
234	+ # First, check with the bad key still in the test keyring.
235	+ # This is supposed to fail, so we want it to return 1
236	+ check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
237	+
238	+ # Now check without the bad key in the test keyring.
239	+ # This one should pass.
240	+ #
241	+ # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
242	+ keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@×××××××.com>" \
243	+ \| grep "^fpr" \
244	+ \| sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
245	+
246	+ for key in ${keys[@]} ; do
247	+ nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
248	+ done
249	+
250	+ edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@×××××××.com>"
251	+ check_trust_levels "return 0" \|\| die "Trustdb failed when it should have passed!"
252	+
253	+ gpgconf --kill gpg-agent \|\| die
254	+}
255	+
256	+src_install() {
257	+ insinto /usr/share/openpgp-keys
258	+ newins gentoo-developers-sanitised.asc gentoo-developers.asc
259	+
260	+ # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
261	+}

Gentoo Archives: gentoo-commits