Re: [gentoo-dev] [PATCH 1/2] sec-keys.eclass: new eclass

[Eli Schwartz <eschwartz@gentoo.org>]

[-- Attachment #1.1: Type: text/plain, Size: 2626 bytes --]

On 11/27/24 4:57 PM, Sam James wrote:
> Eli Schwartz <eschwartz@gentoo.org> writes:
>> +# @EXAMPLE:
>> +# Example use:
>> +#
>> +# @CODE
>> +# SEC_KEYS_VALIDPGPKEYS=(
>> +#	'4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github'
>> +# )
> 
> Can you expand the example(s) here maybe with some comments in the array
> to help people see when it might be suitable to use e.g. none with a mix
> of github?


Sure, good idea.


>> +# @FUNCTION: sec-keys_src_compile
>> +# @DESCRIPTION:
>> +# Default src_compile override that imports all public keys into a keyring,
>> +# and validates that they are listed in SEC_KEYS_VALIDPGPKEYS.
>> +sec-keys_src_compile() {
>> +	local -x GNUPGHOME=${WORKDIR}/gnupg
>> +	mkdir -m700 -p "${GNUPGHOME}" || die
> 
> Is there any value in using gemato's gpg-wrap for this function?


I don't think so. The main use case for gemato that I see is it
automatically entering a tempdir context based on a keyfile. We need to
support multiple keyfiles, including ebuild-specified SRC_URI that may
not be ascii-armored and cannot be concatenated together, which means in
order to get to a point where gpg-wrap can be used to run one-off
commands using a keyfile in which gemato wraps the creation of a
keyring... we've basically done all the work we actually wanted to do.


>> +	local extra_keys=($(comm -23 imported_keys.list allowed_keys.list || die))
>> +	local missing_keys=($(comm -13 imported_keys.list allowed_keys.list || die))
> 
> Any reason to not readarray this instead?


The files each contain a list of words (PGP fingerprint, consisting of
characters matching [0-9A-F] and nothing else), with the only whitspace
in the file being newline characters.

Both readarray and command substitution tokenize this the same. I'm not
sure it particularly matters which one to use, but command substitution
can be done on one line (local variable=($(command || die)) ) whereas
readarray requires two lines (local -a variable; readarray -t varlist <
<(command || die) ) and you have to remember to use -t and -a.

I don't think readarray provides any functionality we need here.


>> +	for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
>> +		local uids=()
>> +		mapfile -t uids < <("${gpg_command[@]}" --list-key --with-colons ${fingerprint} | awk -F: '/^uid/{print $10}' || die)
>> +		edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export --armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc || die
> 
> No need for the die here.


Right, I probably forgot to remove this when I switched to edo.



-- 
Eli Schwartz

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]