From: "Sam James" <sam@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: sec-keys/openpgp-keys-gentoo-developers/
Date: Fri, 4 Aug 2023 11:25:56 +0000 (UTC) [thread overview]
Message-ID: <1691147777.5753c2b39559972d6d781532fc13f2b714013309.sam@gentoo> (raw)
commit: 5753c2b39559972d6d781532fc13f2b714013309
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 4 11:16:12 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Aug 4 11:16:17 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5753c2b3
sec-keys/openpgp-keys-gentoo-developers: drop versions
Signed-off-by: Sam James <sam <AT> gentoo.org>
sec-keys/openpgp-keys-gentoo-developers/Manifest | 5 -
.../openpgp-keys-gentoo-developers-20230612.ebuild | 233 ---------------------
.../openpgp-keys-gentoo-developers-20230619.ebuild | 233 ---------------------
.../openpgp-keys-gentoo-developers-20230626.ebuild | 233 ---------------------
.../openpgp-keys-gentoo-developers-20230703.ebuild | 233 ---------------------
.../openpgp-keys-gentoo-developers-20230710.ebuild | 233 ---------------------
6 files changed, 1170 deletions(-)
diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest
index deabe3e8a074..5d0a9d2f8448 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest
+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest
@@ -1,6 +1 @@
-DIST openpgp-keys-gentoo-developers-20230612-active-devs.gpg 3093884 BLAKE2B bd8ca7f39b9b31187479f73031358af3285b5ca320794e660af3f93750c38e75be4e1d19fafc5735fc46d1ba6bebdc82a5e1954e72b1f2bf01b3e348ba0389a1 SHA512 8a98a086f6696632552e4b6a40168bafffae85f8da8fc9a993125c0c03fb45174fa46f05572c3c17d3effe3a77ccaeef5ab34cf1ebd430d0bbfff140ecf617c1
-DIST openpgp-keys-gentoo-developers-20230619-active-devs.gpg 3104963 BLAKE2B 1a23171097c697d2991617b6e0920cfed2d78f111241436251db1ed97e1a79ed5649931a788013a85402f928f5e348620d99144e6ea50f9639869bfe1a477766 SHA512 3b82bdcffc2663891bf962b566754cd15608c0227ef928b357133b87576c82f9e31b082e5969192ddbf5cf02d854483b96bf81386c7369c074537edefa62d35e
-DIST openpgp-keys-gentoo-developers-20230626-active-devs.gpg 3115295 BLAKE2B 60f1aa4c7ac4a7066c27b888ec815ea92eb66c028435ca45fdb7db7067dc80fd6a639054cd98acd0780cea0a90dfd58875e7979e8d1825762290c3e21d807d80 SHA512 fb9e7324b7f029ca63b96406477a725fd53a8d3e2020e8d0b25b6ea1e94dc9723bfcf57fcffabed090f879c325f5a533e32554b1a2896cb8c6dc08f9516c057c
-DIST openpgp-keys-gentoo-developers-20230703-active-devs.gpg 3133493 BLAKE2B e87e34262d41b1fe1c49ed3cf7da93268a7c5b451ed06ab6e28554b7f09fafcc01b0c1171d1014539105891bde55f3b91fbefbe28538eda35a4e0d85fdf220e2 SHA512 f94890230712bf71ffc25e17566249d974c7b2dc956356770db29ab0eec8ea9fcf09d99e65ece232643dbd9e088b29eb691100c73e5fcd09abb027bd61dcd77d
-DIST openpgp-keys-gentoo-developers-20230710-active-devs.gpg 3133493 BLAKE2B e87e34262d41b1fe1c49ed3cf7da93268a7c5b451ed06ab6e28554b7f09fafcc01b0c1171d1014539105891bde55f3b91fbefbe28538eda35a4e0d85fdf220e2 SHA512 f94890230712bf71ffc25e17566249d974c7b2dc956356770db29ab0eec8ea9fcf09d99e65ece232643dbd9e088b29eb691100c73e5fcd09abb027bd61dcd77d
DIST openpgp-keys-gentoo-developers-20230717-active-devs.gpg 3104679 BLAKE2B 81777f536f342de356bdc9e5bc6b8b3319bec058c5fff663c80db6b9acbfc625703bf66bbc271c9dbb53de714dc581637ae01bfcd750174579410813c64717c4 SHA512 6f6f5d50d24acaec7774497fb8dc01e240e9b8f93578b5b08ef097b02299c2116deb87264fa3ce3144dc6fbb28d9e2d7363ed2505f5e264d783901b581262105
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230612.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230612.ebuild
deleted file mode 100644
index a8a3226d3007..000000000000
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230612.ebuild
+++ /dev/null
@@ -1,233 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
- SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
- KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv sparc x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- sec-keys/openpgp-keys-gentoo-auth
- test? (
- app-crypt/gnupg
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: larry@example.com
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
-
- edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
- die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated}, ${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
- check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230619.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230619.ebuild
deleted file mode 100644
index fda85a259ff6..000000000000
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230619.ebuild
+++ /dev/null
@@ -1,233 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
- SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- sec-keys/openpgp-keys-gentoo-auth
- test? (
- app-crypt/gnupg
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: larry@example.com
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
-
- edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
- die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated}, ${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
- check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230626.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230626.ebuild
deleted file mode 100644
index fda85a259ff6..000000000000
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230626.ebuild
+++ /dev/null
@@ -1,233 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
- SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- sec-keys/openpgp-keys-gentoo-auth
- test? (
- app-crypt/gnupg
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: larry@example.com
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
-
- edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
- die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated}, ${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
- check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230703.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230703.ebuild
deleted file mode 100644
index fda85a259ff6..000000000000
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230703.ebuild
+++ /dev/null
@@ -1,233 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
- SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- sec-keys/openpgp-keys-gentoo-auth
- test? (
- app-crypt/gnupg
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: larry@example.com
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
-
- edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
- die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated}, ${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
- check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230710.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230710.ebuild
deleted file mode 100644
index fda85a259ff6..000000000000
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230710.ebuild
+++ /dev/null
@@ -1,233 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{10..12} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
- SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- sec-keys/openpgp-keys-gentoo-auth
- test? (
- app-crypt/gnupg
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: larry@example.com
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
-
- edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
- die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated}, ${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
- check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
-}
next reply other threads:[~2023-08-04 11:26 UTC|newest]
Thread overview: 87+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-04 11:25 Sam James [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-08-29 3:51 [gentoo-commits] repo/gentoo:master commit in: sec-keys/openpgp-keys-gentoo-developers/ Sam James
2024-07-17 5:54 Sam James
2024-07-14 22:33 James Le Cuirot
2024-07-14 15:03 James Le Cuirot
2024-07-14 15:03 James Le Cuirot
2024-07-03 16:21 Michał Górny
2024-04-29 5:44 Sam James
2024-04-27 22:38 Sam James
2024-02-29 7:52 Sam James
2024-02-29 7:52 Sam James
2023-12-29 23:32 Sam James
2023-12-28 3:43 Sam James
2023-12-15 6:44 Sam James
2023-11-25 5:36 Sam James
2023-11-25 5:36 Sam James
2023-11-25 5:36 Sam James
2023-11-25 5:36 Sam James
2023-11-25 5:36 Sam James
2023-11-06 17:15 Sam James
2023-11-06 17:15 Sam James
2023-10-21 23:11 Sam James
2023-10-21 23:11 Sam James
2023-10-08 1:04 Sam James
2023-09-27 3:03 Sam James
2023-09-27 3:03 Sam James
2023-09-27 3:03 Sam James
2023-09-25 1:48 Sam James
2023-09-16 12:53 Sam James
2023-09-07 8:04 Sam James
2023-09-03 7:24 Sam James
2023-09-03 7:24 Sam James
2023-09-01 2:29 Sam James
2023-09-01 2:29 Sam James
2023-09-01 2:29 Sam James
2023-09-01 2:29 Sam James
2023-08-04 11:25 Sam James
2023-08-04 11:25 Sam James
2023-08-04 11:25 Sam James
2023-07-19 20:25 Sam James
2023-07-19 20:25 Sam James
2023-07-19 20:25 Sam James
2023-07-19 20:25 Sam James
2023-06-24 5:02 Sam James
2023-06-24 5:02 Sam James
2023-06-14 4:07 Sam James
2023-06-14 3:10 Sam James
2023-06-14 3:10 Sam James
2023-06-14 3:08 Sam James
2023-06-14 3:08 Sam James
2023-06-14 3:08 Sam James
2023-06-01 5:54 Sam James
2023-06-01 5:54 Sam James
2023-06-01 5:54 Sam James
2023-05-18 22:21 Sam James
2023-05-15 4:10 Sam James
2023-05-15 4:10 Sam James
2023-05-15 4:10 Sam James
2023-05-15 4:10 Sam James
2023-04-23 19:46 Sam James
2023-04-23 7:09 Sam James
2023-04-23 7:05 Sam James
2023-04-08 6:47 Viorel Munteanu
2023-04-04 4:20 Sam James
2023-04-01 0:55 Sam James
2023-03-31 21:28 Sam James
2023-03-31 21:01 Sam James
2023-03-31 20:59 Sam James
2023-03-31 20:59 Sam James
2023-03-29 18:24 Arthur Zamarin
2023-03-29 14:58 Sam James
2023-03-29 11:24 Sam James
2023-03-29 11:24 Sam James
2023-03-29 11:24 Sam James
2023-03-29 11:03 Sam James
2023-03-29 2:27 Sam James
2023-03-29 2:27 Sam James
2023-03-29 1:51 Sam James
2023-03-29 1:51 Sam James
2023-01-03 4:48 Sam James
2023-01-03 4:48 Sam James
2022-11-07 23:46 Sam James
2022-09-03 1:49 Sam James
2022-09-03 1:42 Sam James
2022-09-03 1:42 Sam James
2022-07-20 5:34 Sam James
2022-07-13 8:03 Matthias Maier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1691147777.5753c2b39559972d6d781532fc13f2b714013309.sam@gentoo \
--to=sam@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox