1 |
commit: fdbc65c03e802d0eeb8c4c4ed78df1c7fe68c1f1 |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sat Sep 3 01:48:29 2022 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Sep 3 01:48:34 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fdbc65c0 |
7 |
|
8 |
sec-keys/openpgp-keys-gentoo-developers: drop 20220711, 20220718 |
9 |
|
10 |
Will try to keep older versions around in future but had to rename |
11 |
a few of the files due to error in script (contents are fine, |
12 |
just dates were a week wrong). |
13 |
|
14 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
15 |
|
16 |
sec-keys/openpgp-keys-gentoo-developers/Manifest | 2 - |
17 |
.../openpgp-keys-gentoo-developers-20220711.ebuild | 214 --------------------- |
18 |
.../openpgp-keys-gentoo-developers-20220718.ebuild | 214 --------------------- |
19 |
3 files changed, 430 deletions(-) |
20 |
|
21 |
diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest |
22 |
index b3be0b159ad5..db94796079c4 100644 |
23 |
--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest |
24 |
+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest |
25 |
@@ -1,3 +1 @@ |
26 |
-DIST openpgp-keys-gentoo-developers-20220711-active-devs.gpg 3237775 BLAKE2B 511e4ea8907593b5ed05c79a0bf6ae131856f0511f3f6a744f393a077ad25fe3f6780caac60d4f94965d4c0aa14debae068599f50920caeaad44303a844bf7ed SHA512 c0122037a3bfde1eec0c3ca7a303ff82f532c518427b34814c12949572c18537f617db22563c15d40fd41f0c94e6c50bcd3e0d3d7d1175400057aafbe41ae2b2 |
27 |
-DIST openpgp-keys-gentoo-developers-20220718-active-devs.gpg 3238135 BLAKE2B a500165c89d28d1aef314ef10e639efe5b354cb39cca2c0565b43b55c580eed26d74be1d45b3be3d55d7879f25282d367cca6e04423df59191b7eedfcc1def88 SHA512 e51afcb31f81ee8596c9b2393fae41d8c67fc363d71f91296195369a428371e6151b81fd57a0cff382ad3493e57b6527126abedcdbc72b32f1bd5b2021e029eb |
28 |
DIST openpgp-keys-gentoo-developers-20220830-active-devs.gpg 3234718 BLAKE2B 80753222b4d2febf0d8568503d646e0258410010eefa35ea3914f5979ea05f12634676212df392f5ddbb153899cd7452ee89d412bea9de8e67abf93243444fa8 SHA512 2676fe541cdad8755f745ebd24badd7b4193bdff71f478f2442fea84e1e07b060564d437ce642b01a37ba8086a8177a84c32abf3dd794be8e587e1740bed2af2 |
29 |
|
30 |
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild |
31 |
deleted file mode 100644 |
32 |
index 4ff65eaaea85..000000000000 |
33 |
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild |
34 |
+++ /dev/null |
35 |
@@ -1,214 +0,0 @@ |
36 |
-# Copyright 1999-2022 Gentoo Authors |
37 |
-# Distributed under the terms of the GNU General Public License v2 |
38 |
- |
39 |
-EAPI=8 |
40 |
- |
41 |
-PYTHON_COMPAT=( python3_{9..11} ) |
42 |
-inherit edo python-any-r1 |
43 |
- |
44 |
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)" |
45 |
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/" |
46 |
-if [[ ${PV} == 9999* ]] ; then |
47 |
- SRC_URI="https://qa-reports.gentoo.org/output/active-devs.gpg -> ${P}-active-devs.gpg" |
48 |
- PROPERTIES="live" |
49 |
-else |
50 |
- SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" |
51 |
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86" |
52 |
-fi |
53 |
- |
54 |
-S="${WORKDIR}" |
55 |
- |
56 |
-LICENSE="public-domain" |
57 |
-SLOT="0" |
58 |
-IUSE="test" |
59 |
-RESTRICT="!test? ( test )" |
60 |
- |
61 |
-BDEPEND=" |
62 |
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') |
63 |
- sec-keys/openpgp-keys-gentoo-auth |
64 |
- test? ( |
65 |
- app-crypt/gnupg |
66 |
- ) |
67 |
-" |
68 |
- |
69 |
-python_check_deps() { |
70 |
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" |
71 |
-} |
72 |
- |
73 |
-src_compile() { |
74 |
- export GNUPGHOME="${T}"/.gnupg |
75 |
- |
76 |
- local mygpgargs=( |
77 |
- --no-autostart |
78 |
- --no-default-keyring |
79 |
- --homedir "${GNUPGHOME}" |
80 |
- ) |
81 |
- |
82 |
- # From verify-sig.eclass: |
83 |
- # "GPG upstream knows better than to follow the spec, so we can't |
84 |
- # override this directory. However, there is a clean fallback |
85 |
- # to GNUPGHOME." |
86 |
- addpredict /run/user |
87 |
- |
88 |
- mkdir "${GNUPGHOME}" || die |
89 |
- chmod 700 "${GNUPGHOME}" || die |
90 |
- |
91 |
- # Convert the binary keyring into an armored one so we can process it |
92 |
- edo gpg "${mygpgargs[@]}" --import "${DISTDIR}"/${P}-active-devs.gpg |
93 |
- edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc |
94 |
- |
95 |
- # Now strip out the keys which are expired and/or missing a signature |
96 |
- # from our L2 developer authority key |
97 |
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ |
98 |
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ |
99 |
- "${WORKDIR}"/gentoo-developers.asc \ |
100 |
- "${WORKDIR}"/gentoo-developers-sanitised.asc |
101 |
-} |
102 |
- |
103 |
-src_test() { |
104 |
- export GNUPGHOME="${T}"/tests/.gnupg |
105 |
- |
106 |
- local mygpgargs=( |
107 |
- # We don't have --no-autostart here because we need |
108 |
- # to let it spawn an agent for the key generation. |
109 |
- --no-default-keyring |
110 |
- --homedir "${GNUPGHOME}" |
111 |
- ) |
112 |
- |
113 |
- # From verify-sig.eclass: |
114 |
- # "GPG upstream knows better than to follow the spec, so we can't |
115 |
- # override this directory. However, there is a clean fallback |
116 |
- # to GNUPGHOME." |
117 |
- addpredict /run/user |
118 |
- |
119 |
- # Check each of the keys to verify they're trusted by |
120 |
- # the L2 developer key. |
121 |
- mkdir -p "${GNUPGHOME}" || die |
122 |
- chmod 700 "${GNUPGHOME}" || die |
123 |
- cd "${T}"/tests || die |
124 |
- |
125 |
- # First, grab the L1 key, and mark it as ultimately trusted. |
126 |
- edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc |
127 |
- edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt |
128 |
- |
129 |
- # Generate a temporary key which isn't signed by anything to check |
130 |
- # whether we're detecting unexpected keys. |
131 |
- # |
132 |
- # The test is whether this appears in the sanitised keyring we |
133 |
- # produce in src_compile (it should not be in there). |
134 |
- # |
135 |
- # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html |
136 |
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF |
137 |
- %echo Generating temporary key for testing... |
138 |
- |
139 |
- %no-protection |
140 |
- %transient-key |
141 |
- %pubring ${P}-ebuild-test-key.asc |
142 |
- |
143 |
- Key-Type: 1 |
144 |
- Key-Length: 2048 |
145 |
- Subkey-Type: 1 |
146 |
- Subkey-Length: 2048 |
147 |
- Name-Real: Larry The Cow |
148 |
- Name-Email: larry@×××××××.com |
149 |
- Expire-Date: 0 |
150 |
- Handle: ${P}-ebuild-test-key |
151 |
- |
152 |
- %commit |
153 |
- %echo Temporary key generated! |
154 |
- EOF |
155 |
- |
156 |
- # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring |
157 |
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc |
158 |
- |
159 |
- # Sign a tiny file with the to-be-injected key for testing rejection below |
160 |
- echo "Hello world!" > "${T}"/tests/signme || die |
161 |
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@×××××××.com>" --sign "${T}"/tests/signme || die |
162 |
- |
163 |
- edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc |
164 |
- |
165 |
- # keyring-mangler.py should now produce a keyring *without* it |
166 |
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ |
167 |
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ |
168 |
- "${T}"/tests/tainted-keyring.asc \ |
169 |
- "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log |
170 |
- assert "Key mangling in tests failed?" |
171 |
- |
172 |
- # Check the log to verify the injected key got detected |
173 |
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" |
174 |
- |
175 |
- # gnupg doesn't have an easy way for us to actually just.. ask |
176 |
- # if a key is known via WoT. So, sign a file using the key |
177 |
- # we just made, and then try to gpg --verify it, and check exit code. |
178 |
- # |
179 |
- # Let's now double check by seeing if a file signed by the injected key |
180 |
- # is rejected. |
181 |
- if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then |
182 |
- die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" |
183 |
- fi |
184 |
- |
185 |
- # Bonus lame sanity check |
186 |
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log |
187 |
- assert "trustdb call failed!" |
188 |
- |
189 |
- check_trust_levels() { |
190 |
- local mode=${1} |
191 |
- |
192 |
- while IFS= read -r line; do |
193 |
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u |
194 |
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u |
195 |
- if [[ ${line} == *depth* ]] ; then |
196 |
- depth=$(echo ${line} | grep -Po "depth: [0-9]") |
197 |
- trust=$(echo ${line} | grep -Po "trust:.*") |
198 |
- |
199 |
- trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") |
200 |
- [[ ${trust_uncalculated} == 0 ]] || ${mode} |
201 |
- |
202 |
- trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") |
203 |
- [[ ${trust_insufficient} == 0 ]] || ${mode} |
204 |
- |
205 |
- trust_never=$(echo ${trust} | grep -Po "[0-9]n") |
206 |
- [[ ${trust_never} == 0 ]] || ${mode} |
207 |
- |
208 |
- trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") |
209 |
- [[ ${trust_marginal} == 0 ]] || ${mode} |
210 |
- |
211 |
- trust_full=$(echo ${trust} | grep -Po "[0-9]f") |
212 |
- [[ ${trust_full} != 0 ]] || ${mode} |
213 |
- |
214 |
- trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") |
215 |
- [[ ${trust_ultimate} == 1 ]] || ${mode} |
216 |
- |
217 |
- echo "${trust_uncalculated}, ${trust_insufficient}" |
218 |
- fi |
219 |
- done < "${T}"/tests/trustdb.log |
220 |
- } |
221 |
- |
222 |
- # First, check with the bad key still in the test keyring. |
223 |
- # This is supposed to fail, so we want it to return 1 |
224 |
- check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" |
225 |
- |
226 |
- # Now check without the bad key in the test keyring. |
227 |
- # This one should pass. |
228 |
- # |
229 |
- # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) |
230 |
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@×××××××.com>" \ |
231 |
- | grep "^fpr" \ |
232 |
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') |
233 |
- |
234 |
- for key in ${keys[@]} ; do |
235 |
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} |
236 |
- done |
237 |
- |
238 |
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@×××××××.com>" |
239 |
- check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" |
240 |
- |
241 |
- gpgconf --kill gpg-agent || die |
242 |
-} |
243 |
- |
244 |
-src_install() { |
245 |
- insinto /usr/share/openpgp-keys |
246 |
- newins gentoo-developers-sanitised.asc gentoo-developers.asc |
247 |
- |
248 |
- # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? |
249 |
-} |
250 |
|
251 |
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild |
252 |
deleted file mode 100644 |
253 |
index 4ff65eaaea85..000000000000 |
254 |
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild |
255 |
+++ /dev/null |
256 |
@@ -1,214 +0,0 @@ |
257 |
-# Copyright 1999-2022 Gentoo Authors |
258 |
-# Distributed under the terms of the GNU General Public License v2 |
259 |
- |
260 |
-EAPI=8 |
261 |
- |
262 |
-PYTHON_COMPAT=( python3_{9..11} ) |
263 |
-inherit edo python-any-r1 |
264 |
- |
265 |
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)" |
266 |
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/" |
267 |
-if [[ ${PV} == 9999* ]] ; then |
268 |
- SRC_URI="https://qa-reports.gentoo.org/output/active-devs.gpg -> ${P}-active-devs.gpg" |
269 |
- PROPERTIES="live" |
270 |
-else |
271 |
- SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" |
272 |
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86" |
273 |
-fi |
274 |
- |
275 |
-S="${WORKDIR}" |
276 |
- |
277 |
-LICENSE="public-domain" |
278 |
-SLOT="0" |
279 |
-IUSE="test" |
280 |
-RESTRICT="!test? ( test )" |
281 |
- |
282 |
-BDEPEND=" |
283 |
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') |
284 |
- sec-keys/openpgp-keys-gentoo-auth |
285 |
- test? ( |
286 |
- app-crypt/gnupg |
287 |
- ) |
288 |
-" |
289 |
- |
290 |
-python_check_deps() { |
291 |
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" |
292 |
-} |
293 |
- |
294 |
-src_compile() { |
295 |
- export GNUPGHOME="${T}"/.gnupg |
296 |
- |
297 |
- local mygpgargs=( |
298 |
- --no-autostart |
299 |
- --no-default-keyring |
300 |
- --homedir "${GNUPGHOME}" |
301 |
- ) |
302 |
- |
303 |
- # From verify-sig.eclass: |
304 |
- # "GPG upstream knows better than to follow the spec, so we can't |
305 |
- # override this directory. However, there is a clean fallback |
306 |
- # to GNUPGHOME." |
307 |
- addpredict /run/user |
308 |
- |
309 |
- mkdir "${GNUPGHOME}" || die |
310 |
- chmod 700 "${GNUPGHOME}" || die |
311 |
- |
312 |
- # Convert the binary keyring into an armored one so we can process it |
313 |
- edo gpg "${mygpgargs[@]}" --import "${DISTDIR}"/${P}-active-devs.gpg |
314 |
- edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc |
315 |
- |
316 |
- # Now strip out the keys which are expired and/or missing a signature |
317 |
- # from our L2 developer authority key |
318 |
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ |
319 |
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ |
320 |
- "${WORKDIR}"/gentoo-developers.asc \ |
321 |
- "${WORKDIR}"/gentoo-developers-sanitised.asc |
322 |
-} |
323 |
- |
324 |
-src_test() { |
325 |
- export GNUPGHOME="${T}"/tests/.gnupg |
326 |
- |
327 |
- local mygpgargs=( |
328 |
- # We don't have --no-autostart here because we need |
329 |
- # to let it spawn an agent for the key generation. |
330 |
- --no-default-keyring |
331 |
- --homedir "${GNUPGHOME}" |
332 |
- ) |
333 |
- |
334 |
- # From verify-sig.eclass: |
335 |
- # "GPG upstream knows better than to follow the spec, so we can't |
336 |
- # override this directory. However, there is a clean fallback |
337 |
- # to GNUPGHOME." |
338 |
- addpredict /run/user |
339 |
- |
340 |
- # Check each of the keys to verify they're trusted by |
341 |
- # the L2 developer key. |
342 |
- mkdir -p "${GNUPGHOME}" || die |
343 |
- chmod 700 "${GNUPGHOME}" || die |
344 |
- cd "${T}"/tests || die |
345 |
- |
346 |
- # First, grab the L1 key, and mark it as ultimately trusted. |
347 |
- edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc |
348 |
- edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt |
349 |
- |
350 |
- # Generate a temporary key which isn't signed by anything to check |
351 |
- # whether we're detecting unexpected keys. |
352 |
- # |
353 |
- # The test is whether this appears in the sanitised keyring we |
354 |
- # produce in src_compile (it should not be in there). |
355 |
- # |
356 |
- # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html |
357 |
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF |
358 |
- %echo Generating temporary key for testing... |
359 |
- |
360 |
- %no-protection |
361 |
- %transient-key |
362 |
- %pubring ${P}-ebuild-test-key.asc |
363 |
- |
364 |
- Key-Type: 1 |
365 |
- Key-Length: 2048 |
366 |
- Subkey-Type: 1 |
367 |
- Subkey-Length: 2048 |
368 |
- Name-Real: Larry The Cow |
369 |
- Name-Email: larry@×××××××.com |
370 |
- Expire-Date: 0 |
371 |
- Handle: ${P}-ebuild-test-key |
372 |
- |
373 |
- %commit |
374 |
- %echo Temporary key generated! |
375 |
- EOF |
376 |
- |
377 |
- # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring |
378 |
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc |
379 |
- |
380 |
- # Sign a tiny file with the to-be-injected key for testing rejection below |
381 |
- echo "Hello world!" > "${T}"/tests/signme || die |
382 |
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@×××××××.com>" --sign "${T}"/tests/signme || die |
383 |
- |
384 |
- edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc |
385 |
- |
386 |
- # keyring-mangler.py should now produce a keyring *without* it |
387 |
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ |
388 |
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ |
389 |
- "${T}"/tests/tainted-keyring.asc \ |
390 |
- "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log |
391 |
- assert "Key mangling in tests failed?" |
392 |
- |
393 |
- # Check the log to verify the injected key got detected |
394 |
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" |
395 |
- |
396 |
- # gnupg doesn't have an easy way for us to actually just.. ask |
397 |
- # if a key is known via WoT. So, sign a file using the key |
398 |
- # we just made, and then try to gpg --verify it, and check exit code. |
399 |
- # |
400 |
- # Let's now double check by seeing if a file signed by the injected key |
401 |
- # is rejected. |
402 |
- if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then |
403 |
- die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" |
404 |
- fi |
405 |
- |
406 |
- # Bonus lame sanity check |
407 |
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log |
408 |
- assert "trustdb call failed!" |
409 |
- |
410 |
- check_trust_levels() { |
411 |
- local mode=${1} |
412 |
- |
413 |
- while IFS= read -r line; do |
414 |
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u |
415 |
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u |
416 |
- if [[ ${line} == *depth* ]] ; then |
417 |
- depth=$(echo ${line} | grep -Po "depth: [0-9]") |
418 |
- trust=$(echo ${line} | grep -Po "trust:.*") |
419 |
- |
420 |
- trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") |
421 |
- [[ ${trust_uncalculated} == 0 ]] || ${mode} |
422 |
- |
423 |
- trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") |
424 |
- [[ ${trust_insufficient} == 0 ]] || ${mode} |
425 |
- |
426 |
- trust_never=$(echo ${trust} | grep -Po "[0-9]n") |
427 |
- [[ ${trust_never} == 0 ]] || ${mode} |
428 |
- |
429 |
- trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") |
430 |
- [[ ${trust_marginal} == 0 ]] || ${mode} |
431 |
- |
432 |
- trust_full=$(echo ${trust} | grep -Po "[0-9]f") |
433 |
- [[ ${trust_full} != 0 ]] || ${mode} |
434 |
- |
435 |
- trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") |
436 |
- [[ ${trust_ultimate} == 1 ]] || ${mode} |
437 |
- |
438 |
- echo "${trust_uncalculated}, ${trust_insufficient}" |
439 |
- fi |
440 |
- done < "${T}"/tests/trustdb.log |
441 |
- } |
442 |
- |
443 |
- # First, check with the bad key still in the test keyring. |
444 |
- # This is supposed to fail, so we want it to return 1 |
445 |
- check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" |
446 |
- |
447 |
- # Now check without the bad key in the test keyring. |
448 |
- # This one should pass. |
449 |
- # |
450 |
- # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) |
451 |
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@×××××××.com>" \ |
452 |
- | grep "^fpr" \ |
453 |
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') |
454 |
- |
455 |
- for key in ${keys[@]} ; do |
456 |
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} |
457 |
- done |
458 |
- |
459 |
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@×××××××.com>" |
460 |
- check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" |
461 |
- |
462 |
- gpgconf --kill gpg-agent || die |
463 |
-} |
464 |
- |
465 |
-src_install() { |
466 |
- insinto /usr/share/openpgp-keys |
467 |
- newins gentoo-developers-sanitised.asc gentoo-developers.asc |
468 |
- |
469 |
- # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? |
470 |
-} |