calculate
/
gentoo-overlay
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master64'
${ noResults }
gentoo-overlay/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-develop...

234 lines
7.3 KiB
Raw Permalink Blame History

# Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
PYTHON_COMPAT=( python3_{10..12} )
inherit edo python-any-r1
DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
if [[ ${PV} == 9999* ]] ; then
PROPERTIES="live"
BDEPEND="net-misc/curl"
else
SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv sparc x86"
fi
S="${WORKDIR}"
LICENSE="public-domain"
SLOT="0"
IUSE="test"
RESTRICT="!test? ( test )"
BDEPEND+="
$(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
sec-keys/openpgp-keys-gentoo-auth
test? (
app-crypt/gnupg
sys-apps/grep[pcre]
)
"
python_check_deps() {
python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
}
src_unpack() {
if [[ ${PV} == 9999* ]] ; then
curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
else
default
fi
}
src_compile() {
export GNUPGHOME="${T}"/.gnupg
get_gpg_keyring_dir() {
if [[ ${PV} == 9999* ]] ; then
echo "${WORKDIR}"
else
echo "${DISTDIR}"
fi
}
local mygpgargs=(
--no-autostart
--no-default-keyring
--homedir "${GNUPGHOME}"
)
# From verify-sig.eclass:
# "GPG upstream knows better than to follow the spec, so we can't
# override this directory. However, there is a clean fallback
# to GNUPGHOME."
addpredict /run/user
mkdir "${GNUPGHOME}" || die
chmod 700 "${GNUPGHOME}" || die
# Convert the binary keyring into an armored one so we can process it
edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
# Now strip out the keys which are expired and/or missing a signature
# from our L2 developer authority key
edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
"${WORKDIR}"/gentoo-developers.asc \
"${WORKDIR}"/gentoo-developers-sanitised.asc
}
src_test() {
export GNUPGHOME="${T}"/tests/.gnupg
local mygpgargs=(
# We don't have --no-autostart here because we need
# to let it spawn an agent for the key generation.
--no-default-keyring
--homedir "${GNUPGHOME}"
)
# From verify-sig.eclass:
# "GPG upstream knows better than to follow the spec, so we can't
# override this directory. However, there is a clean fallback
# to GNUPGHOME."
addpredict /run/user
# Check each of the keys to verify they're trusted by
# the L2 developer key.
mkdir -p "${GNUPGHOME}" || die
chmod 700 "${GNUPGHOME}" || die
cd "${T}"/tests || die
# First, grab the L1 key, and mark it as ultimately trusted.
edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
# Generate a temporary key which isn't signed by anything to check
# whether we're detecting unexpected keys.
#
# The test is whether this appears in the sanitised keyring we
# produce in src_compile (it should not be in there).
#
# https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
%echo Generating temporary key for testing...
%no-protection
%transient-key
%pubring ${P}-ebuild-test-key.asc
Key-Type: 1
Key-Length: 2048
Subkey-Type: 1
Subkey-Length: 2048
Name-Real: Larry The Cow
Name-Email: larry@example.com
Expire-Date: 0
Handle: ${P}-ebuild-test-key
%commit
%echo Temporary key generated!
EOF
# Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
# Sign a tiny file with the to-be-injected key for testing rejection below
echo "Hello world!" > "${T}"/tests/signme || die
edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
# keyring-mangler.py should now produce a keyring *without* it
edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
"${T}"/tests/tainted-keyring.asc \
"${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
assert "Key mangling in tests failed?"
# Check the log to verify the injected key got detected
grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
# gnupg doesn't have an easy way for us to actually just.. ask
# if a key is known via WoT. So, sign a file using the key
# we just made, and then try to gpg --verify it, and check exit code.
#
# Let's now double check by seeing if a file signed by the injected key
# is rejected.
if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
fi
# Bonus lame sanity check
edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
assert "trustdb call failed!"
check_trust_levels() {
local mode=${1}
while IFS= read -r line; do
# gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u
# gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u
if [[ ${line} == *depth* ]] ; then
depth=$(echo ${line} | grep -Po "depth: [0-9]")
trust=$(echo ${line} | grep -Po "trust:.*")
trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
[[ ${trust_uncalculated} == 0 ]] || ${mode}
trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
[[ ${trust_insufficient} == 0 ]] || ${mode}
trust_never=$(echo ${trust} | grep -Po "[0-9]n")
[[ ${trust_never} == 0 ]] || ${mode}
trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
[[ ${trust_marginal} == 0 ]] || ${mode}
trust_full=$(echo ${trust} | grep -Po "[0-9]f")
[[ ${trust_full} != 0 ]] || ${mode}
trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
[[ ${trust_ultimate} == 1 ]] || ${mode}
echo "${trust_uncalculated}, ${trust_insufficient}"
fi
done < "${T}"/tests/trustdb.log
}
# First, check with the bad key still in the test keyring.
# This is supposed to fail, so we want it to return 1
check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
# Now check without the bad key in the test keyring.
# This one should pass.
#
# Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
| grep "^fpr" \
| sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
local key
for key in ${keys[@]} ; do
nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
done
edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
gpgconf --kill gpg-agent || die
}
src_install() {
insinto /usr/share/openpgp-keys
newins gentoo-developers-sanitised.asc gentoo-developers.asc
# TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
}
Reference in new issue View Git Blame Copy Permalink