[gentoo-portage-dev] [PATCH v2 8/9] git: Support running the verification against sync-openpgp-key-path - gentoo-portage-dev

From:	"Michał Górny" <mgorny@g.o>
To:	gentoo-portage-dev@l.g.o
Cc:	"Michał Górny" <mgorny@g.o>
Subject:	[gentoo-portage-dev] [PATCH v2 8/9] git: Support running the verification against sync-openpgp-key-path
Date:	Fri, 02 Feb 2018 20:43:13
Message-Id:	`20180202204223.9003-8-mgorny@gentoo.org`
In Reply to:	[gentoo-portage-dev] [PATCH v2 1/9] rsync: Verify the value of sync-rsync-verify-jobs by "Michał Górny"

1

---

2

 pym/portage/sync/modules/git/git.py | 101 +++++++++++++++++++++++++-----------

3

 1 file changed, 70 insertions(+), 31 deletions(-)

4

5

diff --git a/pym/portage/sync/modules/git/git.py b/pym/portage/sync/modules/git/git.py

6

index 7e5ddf3b5..cec760d00 100644

7

--- a/pym/portage/sync/modules/git/git.py

8

+++ b/pym/portage/sync/modules/git/git.py

9

@@ -1,6 +1,7 @@

10

 # Copyright 2005-2018 Gentoo Foundation

11

 # Distributed under the terms of the GNU General Public License v2

12

13

+import io

14

 import logging

15

 import subprocess

16

17

@@ -13,6 +14,12 @@ bad = create_color_func("BAD")

18

 warn = create_color_func("WARN")

19

 from portage.sync.syncbase import NewBase

20

21

+try:

22

+	from gemato.exceptions import GematoException

23

+	import gemato.openpgp

24

+except ImportError:

25

+	gemato = None

26

+

27

28

 class GitSync(NewBase):

29

 	'''Git sync class'''

30

@@ -141,39 +148,71 @@ class GitSync(NewBase):

31

 				'sync-git-verify-commit-signature', 'false') != 'true'):

32

 			return True

33

34

-		rev_cmd = [self.bin_command, "log", "--pretty=format:%G?", "-1"]

35

-		try:

36

-			status = (portage._unicode_decode(

37

-				subprocess.check_output(rev_cmd,

38

-					cwd=portage._unicode_encode(self.repo.location)))

39

-				.strip())

40

-		except subprocess.CalledProcessError:

41

-			return False

42

-

43

-		out = EOutput()

44

-		if status == 'G':  # good signature is good

45

-			out.einfo('Trusted signature found on top commit')

46

-			return True

47

-		elif status == 'U':  # untrusted

48

-			out.ewarn('Top commit signature is valid but not trusted')

49

-			return True

50

+		if self.repo.sync_openpgp_key_path is not None:

51

+			if gemato is None:

52

+				writemsg_level("!!! Verifying against specified key requires gemato-11.0+ installed\n",

53

+					level=logging.ERROR, noiselevel=-1)

54

+				return False

55

+			openpgp_env = gemato.openpgp.OpenPGPEnvironment()

56

 		else:

57

-			if status == 'B':

58

-				expl = 'bad signature'

59

-			elif status == 'X':

60

-				expl = 'expired signature'

61

-			elif status == 'Y':

62

-				expl = 'expired key'

63

-			elif status == 'R':

64

-				expl = 'revoked key'

65

-			elif status == 'E':

66

-				expl = 'unable to verify signature (missing key?)'

67

-			elif status == 'N':

68

-				expl = 'no signature'

69

+			openpgp_env = None

70

+

71

+		try:

72

+			out = EOutput()

73

+			env = None

74

+			if openpgp_env is not None:

75

+				try:

76

+					out.einfo('Using keys from %s' % (self.repo.sync_openpgp_key_path,))

77

+					with io.open(self.repo.sync_openpgp_key_path, 'rb') as f:

78

+						openpgp_env.import_key(f)

79

+					out.ebegin('Refreshing keys from keyserver')

80

+					openpgp_env.refresh_keys()

81

+					out.eend(0)

82

+				except GematoException as e:

83

+					writemsg_level("!!! Verification impossible due to keyring problem:\n%s\n"

84

+							% (e,),

85

+							level=logging.ERROR, noiselevel=-1)

86

+					return (1, False)

87

+

88

+				env = os.environ.copy()

89

+				env['GNUPGHOME'] = openpgp_env.home

90

+

91

+			rev_cmd = [self.bin_command, "log", "--pretty=format:%G?", "-1"]

92

+			try:

93

+				status = (portage._unicode_decode(

94

+					subprocess.check_output(rev_cmd,

95

+						cwd=portage._unicode_encode(self.repo.location),

96

+						env=env))

97

+					.strip())

98

+			except subprocess.CalledProcessError:

99

+				return False

100

+

101

+			if status == 'G':  # good signature is good

102

+				out.einfo('Trusted signature found on top commit')

103

+				return True

104

+			elif status == 'U':  # untrusted

105

+				out.ewarn('Top commit signature is valid but not trusted')

106

+				return True

107

 			else:

108

-				expl = 'unknown issue'

109

-			out.eerror('No valid signature found: %s' % (expl,))

110

-			return False

111

+				if status == 'B':

112

+					expl = 'bad signature'

113

+				elif status == 'X':

114

+					expl = 'expired signature'

115

+				elif status == 'Y':

116

+					expl = 'expired key'

117

+				elif status == 'R':

118

+					expl = 'revoked key'

119

+				elif status == 'E':

120

+					expl = 'unable to verify signature (missing key?)'

121

+				elif status == 'N':

122

+					expl = 'no signature'

123

+				else:

124

+					expl = 'unknown issue'

125

+				out.eerror('No valid signature found: %s' % (expl,))

126

+				return False

127

+		finally:

128

+			if openpgp_env is not None:

129

+				openpgp_env.close()

130

131

 	def retrieve_head(self, **kwargs):

132

 		'''Get information about the head commit'''

133

--

134

2.16.1

1	---
2	pym/portage/sync/modules/git/git.py \| 101 +++++++++++++++++++++++++-----------
3	1 file changed, 70 insertions(+), 31 deletions(-)
4
5	diff --git a/pym/portage/sync/modules/git/git.py b/pym/portage/sync/modules/git/git.py
6	index 7e5ddf3b5..cec760d00 100644
7	--- a/pym/portage/sync/modules/git/git.py
8	+++ b/pym/portage/sync/modules/git/git.py
9	@@ -1,6 +1,7 @@
10	# Copyright 2005-2018 Gentoo Foundation
11	# Distributed under the terms of the GNU General Public License v2
12
13	+import io
14	import logging
15	import subprocess
16
17	@@ -13,6 +14,12 @@ bad = create_color_func("BAD")
18	warn = create_color_func("WARN")
19	from portage.sync.syncbase import NewBase
20
21	+try:
22	+ from gemato.exceptions import GematoException
23	+ import gemato.openpgp
24	+except ImportError:
25	+ gemato = None
26	+
27
28	class GitSync(NewBase):
29	'''Git sync class'''
30	@@ -141,39 +148,71 @@ class GitSync(NewBase):
31	'sync-git-verify-commit-signature', 'false') != 'true'):
32	return True
33
34	- rev_cmd = [self.bin_command, "log", "--pretty=format:%G?", "-1"]
35	- try:
36	- status = (portage._unicode_decode(
37	- subprocess.check_output(rev_cmd,
38	- cwd=portage._unicode_encode(self.repo.location)))
39	- .strip())
40	- except subprocess.CalledProcessError:
41	- return False
42	-
43	- out = EOutput()
44	- if status == 'G': # good signature is good
45	- out.einfo('Trusted signature found on top commit')
46	- return True
47	- elif status == 'U': # untrusted
48	- out.ewarn('Top commit signature is valid but not trusted')
49	- return True
50	+ if self.repo.sync_openpgp_key_path is not None:
51	+ if gemato is None:
52	+ writemsg_level("!!! Verifying against specified key requires gemato-11.0+ installed\n",
53	+ level=logging.ERROR, noiselevel=-1)
54	+ return False
55	+ openpgp_env = gemato.openpgp.OpenPGPEnvironment()
56	else:
57	- if status == 'B':
58	- expl = 'bad signature'
59	- elif status == 'X':
60	- expl = 'expired signature'
61	- elif status == 'Y':
62	- expl = 'expired key'
63	- elif status == 'R':
64	- expl = 'revoked key'
65	- elif status == 'E':
66	- expl = 'unable to verify signature (missing key?)'
67	- elif status == 'N':
68	- expl = 'no signature'
69	+ openpgp_env = None
70	+
71	+ try:
72	+ out = EOutput()
73	+ env = None
74	+ if openpgp_env is not None:
75	+ try:
76	+ out.einfo('Using keys from %s' % (self.repo.sync_openpgp_key_path,))
77	+ with io.open(self.repo.sync_openpgp_key_path, 'rb') as f:
78	+ openpgp_env.import_key(f)
79	+ out.ebegin('Refreshing keys from keyserver')
80	+ openpgp_env.refresh_keys()
81	+ out.eend(0)
82	+ except GematoException as e:
83	+ writemsg_level("!!! Verification impossible due to keyring problem:\n%s\n"
84	+ % (e,),
85	+ level=logging.ERROR, noiselevel=-1)
86	+ return (1, False)
87	+
88	+ env = os.environ.copy()
89	+ env['GNUPGHOME'] = openpgp_env.home
90	+
91	+ rev_cmd = [self.bin_command, "log", "--pretty=format:%G?", "-1"]
92	+ try:
93	+ status = (portage._unicode_decode(
94	+ subprocess.check_output(rev_cmd,
95	+ cwd=portage._unicode_encode(self.repo.location),
96	+ env=env))
97	+ .strip())
98	+ except subprocess.CalledProcessError:
99	+ return False
100	+
101	+ if status == 'G': # good signature is good
102	+ out.einfo('Trusted signature found on top commit')
103	+ return True
104	+ elif status == 'U': # untrusted
105	+ out.ewarn('Top commit signature is valid but not trusted')
106	+ return True
107	else:
108	- expl = 'unknown issue'
109	- out.eerror('No valid signature found: %s' % (expl,))
110	- return False
111	+ if status == 'B':
112	+ expl = 'bad signature'
113	+ elif status == 'X':
114	+ expl = 'expired signature'
115	+ elif status == 'Y':
116	+ expl = 'expired key'
117	+ elif status == 'R':
118	+ expl = 'revoked key'
119	+ elif status == 'E':
120	+ expl = 'unable to verify signature (missing key?)'
121	+ elif status == 'N':
122	+ expl = 'no signature'
123	+ else:
124	+ expl = 'unknown issue'
125	+ out.eerror('No valid signature found: %s' % (expl,))
126	+ return False
127	+ finally:
128	+ if openpgp_env is not None:
129	+ openpgp_env.close()
130
131	def retrieve_head(self, **kwargs):
132	'''Get information about the head commit'''
133	--
134	2.16.1

Gentoo Archives: gentoo-portage-dev