public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Sam James" <sam@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: sec-keys/openpgp-keys-gentoo-developers/
Date: Thu, 18 May 2023 22:21:51 +0000 (UTC)	[thread overview]
Message-ID: <1684448472.d790d32d696ca7788cc37751612cee96d65070b4.sam@gentoo> (raw)

commit:     d790d32d696ca7788cc37751612cee96d65070b4
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Thu May 18 22:21:12 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu May 18 22:21:12 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d790d32d

sec-keys/openpgp-keys-gentoo-developers: add 20230515

Signed-off-by: Sam James <sam <AT> gentoo.org>

 sec-keys/openpgp-keys-gentoo-developers/Manifest   |   1 +
 .../openpgp-keys-gentoo-developers-20230515.ebuild | 233 +++++++++++++++++++++
 2 files changed, 234 insertions(+)

diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest
index 864f45eec61c..15b1dca95fd2 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest
+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest
@@ -1,2 +1,3 @@
 DIST openpgp-keys-gentoo-developers-20230403-active-devs.gpg 3033398 BLAKE2B 233549fa600d855df1f4130224c63b10d0df3312886bef1c0486553db3025554a4fff7af104a3f0869390d53837a8d0182d830432e855273da28c753ea579d7e SHA512 33264b9ef002656f5c58dc2b2ff568d01b624c68e2e42db0d388b9a99b45c2d605df0d5db7b5029c0946f524fa7168252ba87908336e6f9ad0717c20d43cd112
 DIST openpgp-keys-gentoo-developers-20230508-active-devs.gpg 3084780 BLAKE2B e7bdf7d2dd4031c63b8acc326c4f11b1f31639d97fa18eb37ec40805789e6c574d5443b0028f204375d0854e661ed2893ca960e9663b41c67b91d87d4e50466d SHA512 bcd0bc704e36dbfdb37cce3739336af7767c64eb9e443607c743c608274676b779e158bdb34ab22d6da6921c3c7b43ecd729c856600c530757fb7da020bf9d67
+DIST openpgp-keys-gentoo-developers-20230515-active-devs.gpg 3093773 BLAKE2B 481e754067cf3ecdce5792490bda2ea9a8afa412c3b6442955f588b2a1c084032ec9d191b39a1931a25e72b291f21dc6e6011b27badd39688420d58743aafa20 SHA512 4c5f7b90e228c639b720932841d404b87cb730929c6955d1441771d1213111375c390aae675176f2a3a99b8dc1d24cdf4f4986f0dfd6025f36d4d84c8eb44c02

diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230515.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230515.ebuild
new file mode 100644
index 000000000000..efd0694ab707
--- /dev/null
+++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230515.ebuild
@@ -0,0 +1,233 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{9..11} )
+inherit edo python-any-r1
+
+DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
+HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
+if [[ ${PV} == 9999* ]] ; then
+	PROPERTIES="live"
+
+	BDEPEND="net-misc/curl"
+else
+	SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+fi
+
+S="${WORKDIR}"
+
+LICENSE="public-domain"
+SLOT="0"
+IUSE="test"
+RESTRICT="!test? ( test )"
+
+BDEPEND+="
+	$(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
+	sec-keys/openpgp-keys-gentoo-auth
+	test? (
+		app-crypt/gnupg
+		sys-apps/grep[pcre]
+	)
+"
+
+python_check_deps() {
+	python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
+}
+
+src_unpack() {
+	if [[ ${PV} == 9999* ]] ; then
+		curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
+	else
+		default
+	fi
+}
+
+src_compile() {
+	export GNUPGHOME="${T}"/.gnupg
+
+	get_gpg_keyring_dir() {
+		if [[ ${PV} == 9999* ]] ; then
+			echo "${WORKDIR}"
+		else
+			echo "${DISTDIR}"
+		fi
+	}
+
+	local mygpgargs=(
+		--no-autostart
+		--no-default-keyring
+		--homedir "${GNUPGHOME}"
+	)
+
+	# From verify-sig.eclass:
+	# "GPG upstream knows better than to follow the spec, so we can't
+	# override this directory.  However, there is a clean fallback
+	# to GNUPGHOME."
+	addpredict /run/user
+
+	mkdir "${GNUPGHOME}" || die
+	chmod 700 "${GNUPGHOME}" || die
+
+	# Convert the binary keyring into an armored one so we can process it
+	edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
+	edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
+
+	# Now strip out the keys which are expired and/or missing a signature
+	# from our L2 developer authority key
+	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
+			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
+			"${WORKDIR}"/gentoo-developers.asc \
+			"${WORKDIR}"/gentoo-developers-sanitised.asc
+}
+
+src_test() {
+	export GNUPGHOME="${T}"/tests/.gnupg
+
+	local mygpgargs=(
+		# We don't have --no-autostart here because we need
+		# to let it spawn an agent for the key generation.
+		--no-default-keyring
+		--homedir "${GNUPGHOME}"
+	)
+
+	# From verify-sig.eclass:
+	# "GPG upstream knows better than to follow the spec, so we can't
+	# override this directory.  However, there is a clean fallback
+	# to GNUPGHOME."
+	addpredict /run/user
+
+	# Check each of the keys to verify they're trusted by
+	# the L2 developer key.
+	mkdir -p "${GNUPGHOME}" || die
+	chmod 700 "${GNUPGHOME}" || die
+	cd "${T}"/tests || die
+
+	# First, grab the L1 key, and mark it as ultimately trusted.
+	edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
+	edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
+
+	# Generate a temporary key which isn't signed by anything to check
+	# whether we're detecting unexpected keys.
+	#
+	# The test is whether this appears in the sanitised keyring we
+	# produce in src_compile (it should not be in there).
+	#
+	# https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
+	edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
+		%echo Generating temporary key for testing...
+
+		%no-protection
+		%transient-key
+		%pubring ${P}-ebuild-test-key.asc
+
+		Key-Type: 1
+		Key-Length: 2048
+		Subkey-Type: 1
+		Subkey-Length: 2048
+		Name-Real: Larry The Cow
+		Name-Email: larry@example.com
+		Expire-Date: 0
+		Handle: ${P}-ebuild-test-key
+
+		%commit
+		%echo Temporary key generated!
+	EOF
+
+	# Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
+	edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
+
+	# Sign a tiny file with the to-be-injected key for testing rejection below
+	echo "Hello world!" > "${T}"/tests/signme || die
+	edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
+
+	edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
+
+	# keyring-mangler.py should now produce a keyring *without* it
+	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
+			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
+			"${T}"/tests/tainted-keyring.asc \
+			"${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
+	assert "Key mangling in tests failed?"
+
+	# Check the log to verify the injected key got detected
+	grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
+
+	# gnupg doesn't have an easy way for us to actually just.. ask
+	# if a key is known via WoT. So, sign a file using the key
+	# we just made, and then try to gpg --verify it, and check exit code.
+	#
+	# Let's now double check by seeing if a file signed by the injected key
+	# is rejected.
+	if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
+		die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
+	fi
+
+	# Bonus lame sanity check
+	edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
+	assert "trustdb call failed!"
+
+	check_trust_levels() {
+		local mode=${1}
+
+		while IFS= read -r line; do
+			# gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u
+			# gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
+			if [[ ${line} == *depth* ]] ; then
+				depth=$(echo ${line} | grep -Po "depth: [0-9]")
+				trust=$(echo ${line} | grep -Po "trust:.*")
+
+				trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
+				[[ ${trust_uncalculated} == 0 ]] || ${mode}
+
+				trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
+				[[ ${trust_insufficient} == 0 ]] || ${mode}
+
+				trust_never=$(echo ${trust} | grep -Po "[0-9]n")
+				[[ ${trust_never} == 0 ]] || ${mode}
+
+				trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
+				[[ ${trust_marginal} == 0 ]] || ${mode}
+
+				trust_full=$(echo ${trust} | grep -Po "[0-9]f")
+				[[ ${trust_full} != 0 ]] || ${mode}
+
+				trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
+				[[ ${trust_ultimate} == 1 ]] || ${mode}
+
+				echo "${trust_uncalculated}, ${trust_insufficient}"
+			fi
+		done < "${T}"/tests/trustdb.log
+	}
+
+	# First, check with the bad key still in the test keyring.
+	# This is supposed to fail, so we want it to return 1
+	check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
+
+	# Now check without the bad key in the test keyring.
+	# This one should pass.
+	#
+	# Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
+	keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
+		| grep "^fpr" \
+		| sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
+
+	local key
+	for key in ${keys[@]} ; do
+		nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
+	done
+
+	edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
+	check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
+
+	gpgconf --kill gpg-agent || die
+}
+
+src_install() {
+	insinto /usr/share/openpgp-keys
+	newins gentoo-developers-sanitised.asc gentoo-developers.asc
+
+	# TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
+}


             reply	other threads:[~2023-05-18 22:21 UTC|newest]

Thread overview: 87+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-18 22:21 Sam James [this message]
  -- strict thread matches above, loose matches on Subject: below --
2024-08-29  3:51 [gentoo-commits] repo/gentoo:master commit in: sec-keys/openpgp-keys-gentoo-developers/ Sam James
2024-07-17  5:54 Sam James
2024-07-14 22:33 James Le Cuirot
2024-07-14 15:03 James Le Cuirot
2024-07-14 15:03 James Le Cuirot
2024-07-03 16:21 Michał Górny
2024-04-29  5:44 Sam James
2024-04-27 22:38 Sam James
2024-02-29  7:52 Sam James
2024-02-29  7:52 Sam James
2023-12-29 23:32 Sam James
2023-12-28  3:43 Sam James
2023-12-15  6:44 Sam James
2023-11-25  5:36 Sam James
2023-11-25  5:36 Sam James
2023-11-25  5:36 Sam James
2023-11-25  5:36 Sam James
2023-11-25  5:36 Sam James
2023-11-06 17:15 Sam James
2023-11-06 17:15 Sam James
2023-10-21 23:11 Sam James
2023-10-21 23:11 Sam James
2023-10-08  1:04 Sam James
2023-09-27  3:03 Sam James
2023-09-27  3:03 Sam James
2023-09-27  3:03 Sam James
2023-09-25  1:48 Sam James
2023-09-16 12:53 Sam James
2023-09-07  8:04 Sam James
2023-09-03  7:24 Sam James
2023-09-03  7:24 Sam James
2023-09-01  2:29 Sam James
2023-09-01  2:29 Sam James
2023-09-01  2:29 Sam James
2023-09-01  2:29 Sam James
2023-08-04 11:25 Sam James
2023-08-04 11:25 Sam James
2023-08-04 11:25 Sam James
2023-08-04 11:25 Sam James
2023-07-19 20:25 Sam James
2023-07-19 20:25 Sam James
2023-07-19 20:25 Sam James
2023-07-19 20:25 Sam James
2023-06-24  5:02 Sam James
2023-06-24  5:02 Sam James
2023-06-14  4:07 Sam James
2023-06-14  3:10 Sam James
2023-06-14  3:10 Sam James
2023-06-14  3:08 Sam James
2023-06-14  3:08 Sam James
2023-06-14  3:08 Sam James
2023-06-01  5:54 Sam James
2023-06-01  5:54 Sam James
2023-06-01  5:54 Sam James
2023-05-15  4:10 Sam James
2023-05-15  4:10 Sam James
2023-05-15  4:10 Sam James
2023-05-15  4:10 Sam James
2023-04-23 19:46 Sam James
2023-04-23  7:09 Sam James
2023-04-23  7:05 Sam James
2023-04-08  6:47 Viorel Munteanu
2023-04-04  4:20 Sam James
2023-04-01  0:55 Sam James
2023-03-31 21:28 Sam James
2023-03-31 21:01 Sam James
2023-03-31 20:59 Sam James
2023-03-31 20:59 Sam James
2023-03-29 18:24 Arthur Zamarin
2023-03-29 14:58 Sam James
2023-03-29 11:24 Sam James
2023-03-29 11:24 Sam James
2023-03-29 11:24 Sam James
2023-03-29 11:03 Sam James
2023-03-29  2:27 Sam James
2023-03-29  2:27 Sam James
2023-03-29  1:51 Sam James
2023-03-29  1:51 Sam James
2023-01-03  4:48 Sam James
2023-01-03  4:48 Sam James
2022-11-07 23:46 Sam James
2022-09-03  1:49 Sam James
2022-09-03  1:42 Sam James
2022-09-03  1:42 Sam James
2022-07-20  5:34 Sam James
2022-07-13  8:03 Matthias Maier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1684448472.d790d32d696ca7788cc37751612cee96d65070b4.sam@gentoo \
    --to=sam@gentoo.org \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox