diff options
author | V3n3RiX <venerix@koprulu.sector> | 2022-09-03 04:17:52 +0100 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2022-09-03 04:17:52 +0100 |
commit | fa78c918d026c911c1bcd700b1d1000aaff22359 (patch) | |
tree | a8cfaa014e1cc6767205561f289db206ea721680 /sec-keys/openpgp-keys-gentoo-developers | |
parent | ec321939a77843497c860196ea06d7776d94b755 (diff) |
gentoo auto-resync : 03:09:2022 - 04:17:52
Diffstat (limited to 'sec-keys/openpgp-keys-gentoo-developers')
-rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/Manifest | 9 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild | 214 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220830.ebuild (renamed from sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild) | 23 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild | 25 |
4 files changed, 44 insertions, 227 deletions
diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest index d056cb37c3c5..720ff6f6822a 100644 --- a/sec-keys/openpgp-keys-gentoo-developers/Manifest +++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest @@ -1,8 +1,5 @@ AUX keyring-mangler.py 3005 BLAKE2B e5435432b79156c26120af950f46f9a916af7261a78b40081eb140e18b3fd4f0d2ce55cd2ed305bdd4f60b569edfb513c1151a6255838a750d37225715e87e4f SHA512 bd4dc3dee66c0f0b8b657da1fabfbda96ea03b77d1080fa1d07b14d2a9571fe91f7589131893b75548122e772678760c7722fd8a46e120c40d8dbb8cb4341dc9 -DIST openpgp-keys-gentoo-developers-20220711-active-devs.gpg 3237775 BLAKE2B 511e4ea8907593b5ed05c79a0bf6ae131856f0511f3f6a744f393a077ad25fe3f6780caac60d4f94965d4c0aa14debae068599f50920caeaad44303a844bf7ed SHA512 c0122037a3bfde1eec0c3ca7a303ff82f532c518427b34814c12949572c18537f617db22563c15d40fd41f0c94e6c50bcd3e0d3d7d1175400057aafbe41ae2b2 -DIST openpgp-keys-gentoo-developers-20220718-active-devs.gpg 3238135 BLAKE2B a500165c89d28d1aef314ef10e639efe5b354cb39cca2c0565b43b55c580eed26d74be1d45b3be3d55d7879f25282d367cca6e04423df59191b7eedfcc1def88 SHA512 e51afcb31f81ee8596c9b2393fae41d8c67fc363d71f91296195369a428371e6151b81fd57a0cff382ad3493e57b6527126abedcdbc72b32f1bd5b2021e029eb -DIST openpgp-keys-gentoo-developers-99999999-active-devs.gpg 3238135 BLAKE2B a500165c89d28d1aef314ef10e639efe5b354cb39cca2c0565b43b55c580eed26d74be1d45b3be3d55d7879f25282d367cca6e04423df59191b7eedfcc1def88 SHA512 e51afcb31f81ee8596c9b2393fae41d8c67fc363d71f91296195369a428371e6151b81fd57a0cff382ad3493e57b6527126abedcdbc72b32f1bd5b2021e029eb -EBUILD openpgp-keys-gentoo-developers-20220711.ebuild 7250 BLAKE2B 4e1a2d11e880c008e0d52c8677403f646bb883177e9b46f6acf0ee9eedc02fb556bc8769154ab1bf2c7819fa698ab2b23492b0984af738bf8c6c11e1d4dee325 SHA512 369a181fcf1dc1a07a2250c0e023a4572dc79e46b28a9b9ce20c64891d40066dc584fb89f0efb11927971e7635d1ead5a9bc9acb605d61347dc6fbd7a3ccaa6b -EBUILD openpgp-keys-gentoo-developers-20220718.ebuild 7250 BLAKE2B 4e1a2d11e880c008e0d52c8677403f646bb883177e9b46f6acf0ee9eedc02fb556bc8769154ab1bf2c7819fa698ab2b23492b0984af738bf8c6c11e1d4dee325 SHA512 369a181fcf1dc1a07a2250c0e023a4572dc79e46b28a9b9ce20c64891d40066dc584fb89f0efb11927971e7635d1ead5a9bc9acb605d61347dc6fbd7a3ccaa6b -EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7275 BLAKE2B c23960a12c13cc5d404dc225c11e840cc9214b4632418441ab4822d1040ed381efe3de3acbd68554249d8061d8b1e8342a786bcf76969bd2aa87933a49397cfc SHA512 4c0051b7850b38d1fd7449d276262004ee55fddabd70547c2a355f47a419beb97a12a462ab555c2fba9e5b96412ac01bfea020a0decb8b2cdc805150fad4ae37 +DIST openpgp-keys-gentoo-developers-20220830-active-devs.gpg 3234718 BLAKE2B 80753222b4d2febf0d8568503d646e0258410010eefa35ea3914f5979ea05f12634676212df392f5ddbb153899cd7452ee89d412bea9de8e67abf93243444fa8 SHA512 2676fe541cdad8755f745ebd24badd7b4193bdff71f478f2442fea84e1e07b060564d437ce642b01a37ba8086a8177a84c32abf3dd794be8e587e1740bed2af2 +EBUILD openpgp-keys-gentoo-developers-20220830.ebuild 7478 BLAKE2B 2cf9f4724f45fe96f948b3ec06ad00ac8f0c3067d0b029715074587f1a7be32ec29d3246704169fd8159969376b3e0a32e9771da7fae2990f9445de235ff856f SHA512 bc95b6ddfe56a9a8e83d47f9282beb4e65dc84117b2387e7159731a7761bd9e0bfd5396ff3b37e445f1170a79c1c187a1525e506ab13418a30188e0859565d10 +EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7478 BLAKE2B 2cf9f4724f45fe96f948b3ec06ad00ac8f0c3067d0b029715074587f1a7be32ec29d3246704169fd8159969376b3e0a32e9771da7fae2990f9445de235ff856f SHA512 bc95b6ddfe56a9a8e83d47f9282beb4e65dc84117b2387e7159731a7761bd9e0bfd5396ff3b37e445f1170a79c1c187a1525e506ab13418a30188e0859565d10 MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056 diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild deleted file mode 100644 index 4ff65eaaea85..000000000000 --- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild +++ /dev/null @@ -1,214 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{9..11} ) -inherit edo python-any-r1 - -DESCRIPTION="Gentoo Authority Keys (GLEP 79)" -HOMEPAGE="https://www.gentoo.org/downloads/signatures/" -if [[ ${PV} == 9999* ]] ; then - SRC_URI="https://qa-reports.gentoo.org/output/active-devs.gpg -> ${P}-active-devs.gpg" - PROPERTIES="live" -else - SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86" -fi - -S="${WORKDIR}" - -LICENSE="public-domain" -SLOT="0" -IUSE="test" -RESTRICT="!test? ( test )" - -BDEPEND=" - $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') - sec-keys/openpgp-keys-gentoo-auth - test? ( - app-crypt/gnupg - ) -" - -python_check_deps() { - python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" -} - -src_compile() { - export GNUPGHOME="${T}"/.gnupg - - local mygpgargs=( - --no-autostart - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - mkdir "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - - # Convert the binary keyring into an armored one so we can process it - edo gpg "${mygpgargs[@]}" --import "${DISTDIR}"/${P}-active-devs.gpg - edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc - - # Now strip out the keys which are expired and/or missing a signature - # from our L2 developer authority key - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${WORKDIR}"/gentoo-developers.asc \ - "${WORKDIR}"/gentoo-developers-sanitised.asc -} - -src_test() { - export GNUPGHOME="${T}"/tests/.gnupg - - local mygpgargs=( - # We don't have --no-autostart here because we need - # to let it spawn an agent for the key generation. - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - # Check each of the keys to verify they're trusted by - # the L2 developer key. - mkdir -p "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - cd "${T}"/tests || die - - # First, grab the L1 key, and mark it as ultimately trusted. - edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc - edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt - - # Generate a temporary key which isn't signed by anything to check - # whether we're detecting unexpected keys. - # - # The test is whether this appears in the sanitised keyring we - # produce in src_compile (it should not be in there). - # - # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html - edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF - %echo Generating temporary key for testing... - - %no-protection - %transient-key - %pubring ${P}-ebuild-test-key.asc - - Key-Type: 1 - Key-Length: 2048 - Subkey-Type: 1 - Subkey-Length: 2048 - Name-Real: Larry The Cow - Name-Email: larry@example.com - Expire-Date: 0 - Handle: ${P}-ebuild-test-key - - %commit - %echo Temporary key generated! - EOF - - # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring - edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc - - # Sign a tiny file with the to-be-injected key for testing rejection below - echo "Hello world!" > "${T}"/tests/signme || die - edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die - - edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc - - # keyring-mangler.py should now produce a keyring *without* it - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${T}"/tests/tainted-keyring.asc \ - "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log - assert "Key mangling in tests failed?" - - # Check the log to verify the injected key got detected - grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" - - # gnupg doesn't have an easy way for us to actually just.. ask - # if a key is known via WoT. So, sign a file using the key - # we just made, and then try to gpg --verify it, and check exit code. - # - # Let's now double check by seeing if a file signed by the injected key - # is rejected. - if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then - die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" - fi - - # Bonus lame sanity check - edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log - assert "trustdb call failed!" - - check_trust_levels() { - local mode=${1} - - while IFS= read -r line; do - # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u - # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u - if [[ ${line} == *depth* ]] ; then - depth=$(echo ${line} | grep -Po "depth: [0-9]") - trust=$(echo ${line} | grep -Po "trust:.*") - - trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") - [[ ${trust_uncalculated} == 0 ]] || ${mode} - - trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") - [[ ${trust_insufficient} == 0 ]] || ${mode} - - trust_never=$(echo ${trust} | grep -Po "[0-9]n") - [[ ${trust_never} == 0 ]] || ${mode} - - trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") - [[ ${trust_marginal} == 0 ]] || ${mode} - - trust_full=$(echo ${trust} | grep -Po "[0-9]f") - [[ ${trust_full} != 0 ]] || ${mode} - - trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") - [[ ${trust_ultimate} == 1 ]] || ${mode} - - echo "${trust_uncalculated}, ${trust_insufficient}" - fi - done < "${T}"/tests/trustdb.log - } - - # First, check with the bad key still in the test keyring. - # This is supposed to fail, so we want it to return 1 - check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" - - # Now check without the bad key in the test keyring. - # This one should pass. - # - # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) - keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \ - | grep "^fpr" \ - | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') - - for key in ${keys[@]} ; do - nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} - done - - edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>" - check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" - - gpgconf --kill gpg-agent || die -} - -src_install() { - insinto /usr/share/openpgp-keys - newins gentoo-developers-sanitised.asc gentoo-developers.asc - - # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? -} diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220830.ebuild index 4ff65eaaea85..a3505aa67f03 100644 --- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild +++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220830.ebuild @@ -9,8 +9,9 @@ inherit edo python-any-r1 DESCRIPTION="Gentoo Authority Keys (GLEP 79)" HOMEPAGE="https://www.gentoo.org/downloads/signatures/" if [[ ${PV} == 9999* ]] ; then - SRC_URI="https://qa-reports.gentoo.org/output/active-devs.gpg -> ${P}-active-devs.gpg" PROPERTIES="live" + + BDEPEND="net-misc/curl" else SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86" @@ -23,7 +24,7 @@ SLOT="0" IUSE="test" RESTRICT="!test? ( test )" -BDEPEND=" +BDEPEND+=" $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') sec-keys/openpgp-keys-gentoo-auth test? ( @@ -35,9 +36,25 @@ python_check_deps() { python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" } +src_unpack() { + if [[ ${PV} == 9999* ]] ; then + curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die + else + default + fi +} + src_compile() { export GNUPGHOME="${T}"/.gnupg + get_gpg_keyring_dir() { + if [[ ${PV} == 9999* ]] ; then + echo "${WORKDIR}" + else + echo "${DISTDIR}" + fi + } + local mygpgargs=( --no-autostart --no-default-keyring @@ -54,7 +71,7 @@ src_compile() { chmod 700 "${GNUPGHOME}" || die # Convert the binary keyring into an armored one so we can process it - edo gpg "${mygpgargs[@]}" --import "${DISTDIR}"/${P}-active-devs.gpg + edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc # Now strip out the keys which are expired and/or missing a signature diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild index e1500e00b9e0..a3505aa67f03 100644 --- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild +++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild @@ -9,11 +9,12 @@ inherit edo python-any-r1 DESCRIPTION="Gentoo Authority Keys (GLEP 79)" HOMEPAGE="https://www.gentoo.org/downloads/signatures/" if [[ ${PV} == 9999* ]] ; then - SRC_URI="https://qa-reports.gentoo.org/output/active-devs.gpg -> ${P}-active-devs.gpg" PROPERTIES="live" + + BDEPEND="net-misc/curl" else SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86" fi S="${WORKDIR}" @@ -23,7 +24,7 @@ SLOT="0" IUSE="test" RESTRICT="!test? ( test )" -BDEPEND=" +BDEPEND+=" $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') sec-keys/openpgp-keys-gentoo-auth test? ( @@ -35,9 +36,25 @@ python_check_deps() { python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" } +src_unpack() { + if [[ ${PV} == 9999* ]] ; then + curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die + else + default + fi +} + src_compile() { export GNUPGHOME="${T}"/.gnupg + get_gpg_keyring_dir() { + if [[ ${PV} == 9999* ]] ; then + echo "${WORKDIR}" + else + echo "${DISTDIR}" + fi + } + local mygpgargs=( --no-autostart --no-default-keyring @@ -54,7 +71,7 @@ src_compile() { chmod 700 "${GNUPGHOME}" || die # Convert the binary keyring into an armored one so we can process it - edo gpg "${mygpgargs[@]}" --import "${DISTDIR}"/${P}-active-devs.gpg + edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc # Now strip out the keys which are expired and/or missing a signature |