| 1 |
commit: d30191b887bb3a3d896c2b8bbf57571e8821b413 |
| 2 |
Author: Michał Górny <mgorny <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Thu Feb 1 13:30:46 2018 +0000 |
| 4 |
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Feb 5 18:43:35 2018 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=d30191b8 |
| 7 |
|
| 8 |
git: Support running the verification against sync-openpgp-key-path |
| 9 |
|
| 10 |
Closes: https://github.com/gentoo/portage/pull/252 |
| 11 |
Reviewed-by: Zac Medico <zmedico <AT> gentoo.org> |
| 12 |
|
| 13 |
pym/portage/sync/modules/git/git.py | 101 +++++++++++++++++++++++++----------- |
| 14 |
1 file changed, 70 insertions(+), 31 deletions(-) |
| 15 |
|
| 16 |
diff --git a/pym/portage/sync/modules/git/git.py b/pym/portage/sync/modules/git/git.py |
| 17 |
index 7e5ddf3b5..cec760d00 100644 |
| 18 |
--- a/pym/portage/sync/modules/git/git.py |
| 19 |
+++ b/pym/portage/sync/modules/git/git.py |
| 20 |
@@ -1,6 +1,7 @@ |
| 21 |
# Copyright 2005-2018 Gentoo Foundation |
| 22 |
# Distributed under the terms of the GNU General Public License v2 |
| 23 |
|
| 24 |
+import io |
| 25 |
import logging |
| 26 |
import subprocess |
| 27 |
|
| 28 |
@@ -13,6 +14,12 @@ bad = create_color_func("BAD") |
| 29 |
warn = create_color_func("WARN") |
| 30 |
from portage.sync.syncbase import NewBase |
| 31 |
|
| 32 |
+try: |
| 33 |
+ from gemato.exceptions import GematoException |
| 34 |
+ import gemato.openpgp |
| 35 |
+except ImportError: |
| 36 |
+ gemato = None |
| 37 |
+ |
| 38 |
|
| 39 |
class GitSync(NewBase): |
| 40 |
'''Git sync class''' |
| 41 |
@@ -141,39 +148,71 @@ class GitSync(NewBase): |
| 42 |
'sync-git-verify-commit-signature', 'false') != 'true'): |
| 43 |
return True |
| 44 |
|
| 45 |
- rev_cmd = [self.bin_command, "log", "--pretty=format:%G?", "-1"] |
| 46 |
- try: |
| 47 |
- status = (portage._unicode_decode( |
| 48 |
- subprocess.check_output(rev_cmd, |
| 49 |
- cwd=portage._unicode_encode(self.repo.location))) |
| 50 |
- .strip()) |
| 51 |
- except subprocess.CalledProcessError: |
| 52 |
- return False |
| 53 |
- |
| 54 |
- out = EOutput() |
| 55 |
- if status == 'G': # good signature is good |
| 56 |
- out.einfo('Trusted signature found on top commit') |
| 57 |
- return True |
| 58 |
- elif status == 'U': # untrusted |
| 59 |
- out.ewarn('Top commit signature is valid but not trusted') |
| 60 |
- return True |
| 61 |
+ if self.repo.sync_openpgp_key_path is not None: |
| 62 |
+ if gemato is None: |
| 63 |
+ writemsg_level("!!! Verifying against specified key requires gemato-11.0+ installed\n", |
| 64 |
+ level=logging.ERROR, noiselevel=-1) |
| 65 |
+ return False |
| 66 |
+ openpgp_env = gemato.openpgp.OpenPGPEnvironment() |
| 67 |
else: |
| 68 |
- if status == 'B': |
| 69 |
- expl = 'bad signature' |
| 70 |
- elif status == 'X': |
| 71 |
- expl = 'expired signature' |
| 72 |
- elif status == 'Y': |
| 73 |
- expl = 'expired key' |
| 74 |
- elif status == 'R': |
| 75 |
- expl = 'revoked key' |
| 76 |
- elif status == 'E': |
| 77 |
- expl = 'unable to verify signature (missing key?)' |
| 78 |
- elif status == 'N': |
| 79 |
- expl = 'no signature' |
| 80 |
+ openpgp_env = None |
| 81 |
+ |
| 82 |
+ try: |
| 83 |
+ out = EOutput() |
| 84 |
+ env = None |
| 85 |
+ if openpgp_env is not None: |
| 86 |
+ try: |
| 87 |
+ out.einfo('Using keys from %s' % (self.repo.sync_openpgp_key_path,)) |
| 88 |
+ with io.open(self.repo.sync_openpgp_key_path, 'rb') as f: |
| 89 |
+ openpgp_env.import_key(f) |
| 90 |
+ out.ebegin('Refreshing keys from keyserver') |
| 91 |
+ openpgp_env.refresh_keys() |
| 92 |
+ out.eend(0) |
| 93 |
+ except GematoException as e: |
| 94 |
+ writemsg_level("!!! Verification impossible due to keyring problem:\n%s\n" |
| 95 |
+ % (e,), |
| 96 |
+ level=logging.ERROR, noiselevel=-1) |
| 97 |
+ return (1, False) |
| 98 |
+ |
| 99 |
+ env = os.environ.copy() |
| 100 |
+ env['GNUPGHOME'] = openpgp_env.home |
| 101 |
+ |
| 102 |
+ rev_cmd = [self.bin_command, "log", "--pretty=format:%G?", "-1"] |
| 103 |
+ try: |
| 104 |
+ status = (portage._unicode_decode( |
| 105 |
+ subprocess.check_output(rev_cmd, |
| 106 |
+ cwd=portage._unicode_encode(self.repo.location), |
| 107 |
+ env=env)) |
| 108 |
+ .strip()) |
| 109 |
+ except subprocess.CalledProcessError: |
| 110 |
+ return False |
| 111 |
+ |
| 112 |
+ if status == 'G': # good signature is good |
| 113 |
+ out.einfo('Trusted signature found on top commit') |
| 114 |
+ return True |
| 115 |
+ elif status == 'U': # untrusted |
| 116 |
+ out.ewarn('Top commit signature is valid but not trusted') |
| 117 |
+ return True |
| 118 |
else: |
| 119 |
- expl = 'unknown issue' |
| 120 |
- out.eerror('No valid signature found: %s' % (expl,)) |
| 121 |
- return False |
| 122 |
+ if status == 'B': |
| 123 |
+ expl = 'bad signature' |
| 124 |
+ elif status == 'X': |
| 125 |
+ expl = 'expired signature' |
| 126 |
+ elif status == 'Y': |
| 127 |
+ expl = 'expired key' |
| 128 |
+ elif status == 'R': |
| 129 |
+ expl = 'revoked key' |
| 130 |
+ elif status == 'E': |
| 131 |
+ expl = 'unable to verify signature (missing key?)' |
| 132 |
+ elif status == 'N': |
| 133 |
+ expl = 'no signature' |
| 134 |
+ else: |
| 135 |
+ expl = 'unknown issue' |
| 136 |
+ out.eerror('No valid signature found: %s' % (expl,)) |
| 137 |
+ return False |
| 138 |
+ finally: |
| 139 |
+ if openpgp_env is not None: |
| 140 |
+ openpgp_env.close() |
| 141 |
|
| 142 |
def retrieve_head(self, **kwargs): |
| 143 |
'''Get information about the head commit''' |
Archives