1 |
commit: d30191b887bb3a3d896c2b8bbf57571e8821b413 |
2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Feb 1 13:30:46 2018 +0000 |
4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 5 18:43:35 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=d30191b8 |
7 |
|
8 |
git: Support running the verification against sync-openpgp-key-path |
9 |
|
10 |
Closes: https://github.com/gentoo/portage/pull/252 |
11 |
Reviewed-by: Zac Medico <zmedico <AT> gentoo.org> |
12 |
|
13 |
pym/portage/sync/modules/git/git.py | 101 +++++++++++++++++++++++++----------- |
14 |
1 file changed, 70 insertions(+), 31 deletions(-) |
15 |
|
16 |
diff --git a/pym/portage/sync/modules/git/git.py b/pym/portage/sync/modules/git/git.py |
17 |
index 7e5ddf3b5..cec760d00 100644 |
18 |
--- a/pym/portage/sync/modules/git/git.py |
19 |
+++ b/pym/portage/sync/modules/git/git.py |
20 |
@@ -1,6 +1,7 @@ |
21 |
# Copyright 2005-2018 Gentoo Foundation |
22 |
# Distributed under the terms of the GNU General Public License v2 |
23 |
|
24 |
+import io |
25 |
import logging |
26 |
import subprocess |
27 |
|
28 |
@@ -13,6 +14,12 @@ bad = create_color_func("BAD") |
29 |
warn = create_color_func("WARN") |
30 |
from portage.sync.syncbase import NewBase |
31 |
|
32 |
+try: |
33 |
+ from gemato.exceptions import GematoException |
34 |
+ import gemato.openpgp |
35 |
+except ImportError: |
36 |
+ gemato = None |
37 |
+ |
38 |
|
39 |
class GitSync(NewBase): |
40 |
'''Git sync class''' |
41 |
@@ -141,39 +148,71 @@ class GitSync(NewBase): |
42 |
'sync-git-verify-commit-signature', 'false') != 'true'): |
43 |
return True |
44 |
|
45 |
- rev_cmd = [self.bin_command, "log", "--pretty=format:%G?", "-1"] |
46 |
- try: |
47 |
- status = (portage._unicode_decode( |
48 |
- subprocess.check_output(rev_cmd, |
49 |
- cwd=portage._unicode_encode(self.repo.location))) |
50 |
- .strip()) |
51 |
- except subprocess.CalledProcessError: |
52 |
- return False |
53 |
- |
54 |
- out = EOutput() |
55 |
- if status == 'G': # good signature is good |
56 |
- out.einfo('Trusted signature found on top commit') |
57 |
- return True |
58 |
- elif status == 'U': # untrusted |
59 |
- out.ewarn('Top commit signature is valid but not trusted') |
60 |
- return True |
61 |
+ if self.repo.sync_openpgp_key_path is not None: |
62 |
+ if gemato is None: |
63 |
+ writemsg_level("!!! Verifying against specified key requires gemato-11.0+ installed\n", |
64 |
+ level=logging.ERROR, noiselevel=-1) |
65 |
+ return False |
66 |
+ openpgp_env = gemato.openpgp.OpenPGPEnvironment() |
67 |
else: |
68 |
- if status == 'B': |
69 |
- expl = 'bad signature' |
70 |
- elif status == 'X': |
71 |
- expl = 'expired signature' |
72 |
- elif status == 'Y': |
73 |
- expl = 'expired key' |
74 |
- elif status == 'R': |
75 |
- expl = 'revoked key' |
76 |
- elif status == 'E': |
77 |
- expl = 'unable to verify signature (missing key?)' |
78 |
- elif status == 'N': |
79 |
- expl = 'no signature' |
80 |
+ openpgp_env = None |
81 |
+ |
82 |
+ try: |
83 |
+ out = EOutput() |
84 |
+ env = None |
85 |
+ if openpgp_env is not None: |
86 |
+ try: |
87 |
+ out.einfo('Using keys from %s' % (self.repo.sync_openpgp_key_path,)) |
88 |
+ with io.open(self.repo.sync_openpgp_key_path, 'rb') as f: |
89 |
+ openpgp_env.import_key(f) |
90 |
+ out.ebegin('Refreshing keys from keyserver') |
91 |
+ openpgp_env.refresh_keys() |
92 |
+ out.eend(0) |
93 |
+ except GematoException as e: |
94 |
+ writemsg_level("!!! Verification impossible due to keyring problem:\n%s\n" |
95 |
+ % (e,), |
96 |
+ level=logging.ERROR, noiselevel=-1) |
97 |
+ return (1, False) |
98 |
+ |
99 |
+ env = os.environ.copy() |
100 |
+ env['GNUPGHOME'] = openpgp_env.home |
101 |
+ |
102 |
+ rev_cmd = [self.bin_command, "log", "--pretty=format:%G?", "-1"] |
103 |
+ try: |
104 |
+ status = (portage._unicode_decode( |
105 |
+ subprocess.check_output(rev_cmd, |
106 |
+ cwd=portage._unicode_encode(self.repo.location), |
107 |
+ env=env)) |
108 |
+ .strip()) |
109 |
+ except subprocess.CalledProcessError: |
110 |
+ return False |
111 |
+ |
112 |
+ if status == 'G': # good signature is good |
113 |
+ out.einfo('Trusted signature found on top commit') |
114 |
+ return True |
115 |
+ elif status == 'U': # untrusted |
116 |
+ out.ewarn('Top commit signature is valid but not trusted') |
117 |
+ return True |
118 |
else: |
119 |
- expl = 'unknown issue' |
120 |
- out.eerror('No valid signature found: %s' % (expl,)) |
121 |
- return False |
122 |
+ if status == 'B': |
123 |
+ expl = 'bad signature' |
124 |
+ elif status == 'X': |
125 |
+ expl = 'expired signature' |
126 |
+ elif status == 'Y': |
127 |
+ expl = 'expired key' |
128 |
+ elif status == 'R': |
129 |
+ expl = 'revoked key' |
130 |
+ elif status == 'E': |
131 |
+ expl = 'unable to verify signature (missing key?)' |
132 |
+ elif status == 'N': |
133 |
+ expl = 'no signature' |
134 |
+ else: |
135 |
+ expl = 'unknown issue' |
136 |
+ out.eerror('No valid signature found: %s' % (expl,)) |
137 |
+ return False |
138 |
+ finally: |
139 |
+ if openpgp_env is not None: |
140 |
+ openpgp_env.close() |
141 |
|
142 |
def retrieve_head(self, **kwargs): |
143 |
'''Get information about the head commit''' |