From: Eli Schwartz <eschwartz@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] [PATCH v2 0/2] sec-keys.eclass
Date: Wed, 27 Nov 2024 23:32:46 -0500 [thread overview]
Message-ID: <20241128043320.1562802-1-eschwartz@gentoo.org> (raw)
In-Reply-To: <20241127203042.1503004-1-eschwartz@gentoo.org>
v2 changes:
- add src_test
- add support for gentoo keyserver
- fix small typo in handling multiple sources
- remove outdated die based on review
Eli Schwartz (2):
sec-keys.eclass: new eclass
sec-keys/openpgp-keys-gnutls: update to use sec-keys.eclass
eclass/sec-keys.eclass | 197 ++++++++++++++++++
sec-keys/openpgp-keys-gnutls/Manifest | 1 +
.../openpgp-keys-gnutls-20240415-r1.ebuild | 22 ++
3 files changed, 220 insertions(+)
create mode 100644 eclass/sec-keys.eclass
create mode 100644 sec-keys/openpgp-keys-gnutls/openpgp-keys-gnutls-20240415-r1.ebuild
Range-diff against v1:
1: 02c47372ec21 ! 1: 6777dbb541bf sec-keys.eclass: new eclass
@@ Commit message
ebuild.
Key rotations, both expected and malicious, are easily detected by
- checking the git log for changes to declared finterprints in a bump. The
+ checking the git log for changes to declared fingerprints in a bump. The
former can be rationalized in the commit message. So can the latter, but
in most cases those will be rejected during peer review.
@@ eclass/sec-keys.eclass (new)
+#
+# @CODE
+# SEC_KEYS_VALIDPGPKEYS=(
-+# '4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github'
++# # implicit Ubuntu
++# '3DB7F3CA6C1D90B99FE25B38D4B476A4D175C54F:bjones:'
++# '4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github,openpgp'
++# # key only available on personal website, use manual SRC_URI
++# '5FD9B5EC8E3F12D11BA47D50F6D698C6F397D76B:awhite:none'
+# )
+#
+# inherit sec-keys
++#
++# SRC_URI+="https://awhite.com/awhite.gpg -> awhite-${PV}.gpg"
+# @CODE
+
+case ${EAPI} in
@@ eclass/sec-keys.eclass (new)
+# Mapping of fingerprints, name, and optional location of PGP keys to include,
+# separated by colons. The allowed values for a location are:
+#
++# - gentoo -- fetch key by fingerprint from https://keys.gentoo.org
++#
+# - github -- fetch key from github.com/${name}.pgp
+#
+# - openpgp -- fetch key by fingerprint from https://keys.openpgp.org
@@ eclass/sec-keys.eclass (new)
+ for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do
+ fingerprint=${key%%:*}
+ name=${key#${fingerprint}:}; name=${name%%:*}
-+ IFS=: read -r -a locations <<<"${key##*:}"
++ IFS=, read -r -a locations <<<"${key##*:}"
+ [[ ${locations[@]} ]] || locations=(ubuntu)
+ for loc in "${locations[@]}"; do
+ case ${loc} in
++ gentoo) remote="https://keys.gentoo.org/pks/lookup?op=get&search=0x${fingerprint}";;
+ github) remote="https://github.com/${name}.gpg";;
+ openpgp) remote="https://keys.openpgp.org/vks/v1/by-fingerprint/${fingerprint}";;
+ ubuntu) remote="https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${fingerprint}";;
@@ eclass/sec-keys.eclass (new)
+_sec_keys_set_globals
+unset -f _sec_keys_set_globals
+
-+BDEPEND="app-crypt/gnupg"
++IUSE="test"
++PROPERTIES="test_network"
++RESTRICT="test"
++
++BDEPEND="
++ app-crypt/gnupg
++ test? ( app-crypt/pgpdump )
++"
+S=${WORKDIR}
+
+LICENSE="public-domain"
@@ eclass/sec-keys.eclass (new)
+ fi
+}
+
++
++sec-keys_src_test() {
++ local -x GNUPGHOME=${WORKDIR}/gnupg
++ local key fingerprint name server
++ local gpg_command=(gpg --export-options export-minimal)
++
++ for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
++ "${gpg_command[@]}" --export "${fingerprint}" | pgpdump > "${fingerprint}.pgpdump" || die
++ done
++
++ # Best-effort attempt to check for updates. keyservers can and usually do
++ # fail for weird reasons, (such as being unable to import a key without a
++ # uid) as well as normal reasons, like the key being exclusive to a
++ # different keyserver. this isn't a reason to fail src_test.
++ for server in keys.gentoo.org keys.openpgp.org keyserver.ubuntu.com; do
++ gpg --refresh-keys --keyserver "hkps://${server}"
++ done
++ for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do
++ if [[ ${key##*:} = *github* ]]; then
++ name=${key#*:}; name=${name%%:*}
++ wget -qO- https://github.com/${name}.gpg | gpg --import || die
++ fi
++ done
++
++ for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
++ "${gpg_command[@]}" --export "${fingerprint}" | pgpdump > "${fingerprint}.pgpdump.new" || die
++ diff -u "${fingerprint}.pgpdump" "${fingerprint}.pgpdump.new" || die "updates available for PGP key: ${fingerprint}"
++ done
++
++}
++
+# @FUNCTION: sec-keys_src_install
+# @DESCRIPTION:
+# Default src_install override that minifies and exports all PGP public keys
@@ eclass/sec-keys.eclass (new)
+ for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
+ local uids=()
+ mapfile -t uids < <("${gpg_command[@]}" --list-key --with-colons ${fingerprint} | awk -F: '/^uid/{print $10}' || die)
-+ edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export --armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc || die
++ edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export --armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc
+ done
+
+ insinto /usr/share/openpgp-keys
@@ eclass/sec-keys.eclass (new)
+
+fi
+
-+EXPORT_FUNCTIONS src_compile src_install
++EXPORT_FUNCTIONS src_compile src_test src_install
2: 0060997db9cb = 2: 2f78bceaed3b sec-keys/openpgp-keys-gnutls: update to use sec-keys.eclass
--
2.45.2
next prev parent reply other threads:[~2024-11-28 4:33 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-27 20:30 [gentoo-dev] [PATCH 1/2] sec-keys.eclass: new eclass Eli Schwartz
2024-11-27 20:30 ` [gentoo-dev] [PATCH 2/2] sec-keys/openpgp-keys-gnutls: update to use sec-keys.eclass Eli Schwartz
2024-11-27 21:12 ` [gentoo-dev] [PATCH 1/2] sec-keys.eclass: new eclass Michał Górny
2024-11-27 21:52 ` Sam James
2024-11-28 4:24 ` Eli Schwartz
2024-11-27 21:57 ` Sam James
2024-11-28 4:17 ` Eli Schwartz
2024-11-28 4:32 ` Eli Schwartz [this message]
2024-11-28 4:32 ` [gentoo-dev] [PATCH v2 " Eli Schwartz
2024-11-28 13:10 ` Michał Górny
2024-11-28 15:36 ` Eli Schwartz
2024-11-28 16:42 ` Michał Górny
2024-11-28 16:56 ` Sam James
2024-11-28 17:06 ` Michał Górny
2024-11-28 17:22 ` Sam James
2024-11-29 18:31 ` Robin H. Johnson
2024-11-29 19:02 ` Eli Schwartz
2024-11-29 7:30 ` Florian Schmaus
2024-11-28 4:32 ` [gentoo-dev] [PATCH v2 2/2] sec-keys/openpgp-keys-gnutls: update to use sec-keys.eclass Eli Schwartz
2024-11-28 10:35 ` [gentoo-dev] [PATCH 1/2] sec-keys.eclass: new eclass Ulrich Müller
2024-11-28 15:36 ` Eli Schwartz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241128043320.1562802-1-eschwartz@gentoo.org \
--to=eschwartz@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox