From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 2A85815806E for ; Mon, 15 May 2023 04:10:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4CB0EE08D6; Mon, 15 May 2023 04:10:45 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 19457E08D6 for ; Mon, 15 May 2023 04:10:45 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B6748340E18 for ; Mon, 15 May 2023 04:10:43 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id EA64CA6E for ; Mon, 15 May 2023 04:10:41 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1684123790.cbe3973666b257e09bb09a580e1e6e199eaa56e2.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sec-keys/openpgp-keys-gentoo-developers/ X-VCS-Repository: repo/gentoo X-VCS-Files: sec-keys/openpgp-keys-gentoo-developers/Manifest sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230417.ebuild sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230424.ebuild sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230501.ebuild X-VCS-Directories: sec-keys/openpgp-keys-gentoo-developers/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: cbe3973666b257e09bb09a580e1e6e199eaa56e2 X-VCS-Branch: master Date: Mon, 15 May 2023 04:10:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 406545ad-6e69-48bf-b088-e25a5e9d75a1 X-Archives-Hash: fd3006a32a36cbea5940f82ba171c787 commit: cbe3973666b257e09bb09a580e1e6e199eaa56e2 Author: Sam James gentoo org> AuthorDate: Mon May 15 02:57:54 2023 +0000 Commit: Sam James gentoo org> CommitDate: Mon May 15 04:09:50 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cbe39736 sec-keys/openpgp-keys-gentoo-developers: drop 20230417, 20230424, 20230501 Signed-off-by: Sam James gentoo.org> sec-keys/openpgp-keys-gentoo-developers/Manifest | 3 - .../openpgp-keys-gentoo-developers-20230417.ebuild | 233 --------------------- .../openpgp-keys-gentoo-developers-20230424.ebuild | 233 --------------------- .../openpgp-keys-gentoo-developers-20230501.ebuild | 233 --------------------- 4 files changed, 702 deletions(-) diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest index 5bcf3ef83ac3..864f45eec61c 100644 --- a/sec-keys/openpgp-keys-gentoo-developers/Manifest +++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest @@ -1,5 +1,2 @@ DIST openpgp-keys-gentoo-developers-20230403-active-devs.gpg 3033398 BLAKE2B 233549fa600d855df1f4130224c63b10d0df3312886bef1c0486553db3025554a4fff7af104a3f0869390d53837a8d0182d830432e855273da28c753ea579d7e SHA512 33264b9ef002656f5c58dc2b2ff568d01b624c68e2e42db0d388b9a99b45c2d605df0d5db7b5029c0946f524fa7168252ba87908336e6f9ad0717c20d43cd112 -DIST openpgp-keys-gentoo-developers-20230417-active-devs.gpg 3075471 BLAKE2B a1d35a6fa32cd92662ce7913000f043d15b2875865a7839df69c7c5648b70c20c43d59cc8fbc9d5bcbd4ea48ea7e7f8063a79fef624d39c092b60b6741e793bd SHA512 4637d67ab19512c80547f029ab95ba755308f9a88c7de4d417177201620b1e48fc21b4ae2bf40770222076aab10f812a71046ce198bdcfa1d08283a3211a4755 -DIST openpgp-keys-gentoo-developers-20230424-active-devs.gpg 3077177 BLAKE2B 37795ba97540163c722f6642d001767a64a19ed6e2ca64ed1aa6b69f363aac96f25c7f9adb244a35eb8786902048a1b78b1f1b4bccfa26bcf23638c6bb85c07f SHA512 3a610650a1f1aa5e17c33eed5b78521df523fc068004015f42d13eb8b72b08d7f9296420bb70fefae879c0eca2a2128c43149512fce07d01f78c088325e2c453 -DIST openpgp-keys-gentoo-developers-20230501-active-devs.gpg 3083340 BLAKE2B 464837904637d6271348a0f18a882670c75c04a0e88e212efcf6715b840a9a0f6c63933bb341dfdfc0912d52f90dcb35fcd07f375bf3fdac4a35fb0cc03e029b SHA512 b2781930ddab8d17f17393be0e0535144b0a800e4178bce3a15c5cc2a8c973cf95ad51aa9ccfae5763057a5fce434eb6279d92b7064c0744a78e198b78b4f436 DIST openpgp-keys-gentoo-developers-20230508-active-devs.gpg 3084780 BLAKE2B e7bdf7d2dd4031c63b8acc326c4f11b1f31639d97fa18eb37ec40805789e6c574d5443b0028f204375d0854e661ed2893ca960e9663b41c67b91d87d4e50466d SHA512 bcd0bc704e36dbfdb37cce3739336af7767c64eb9e443607c743c608274676b779e158bdb34ab22d6da6921c3c7b43ecd729c856600c530757fb7da020bf9d67 diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230417.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230417.ebuild deleted file mode 100644 index efd0694ab707..000000000000 --- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230417.ebuild +++ /dev/null @@ -1,233 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{9..11} ) -inherit edo python-any-r1 - -DESCRIPTION="Gentoo Authority Keys (GLEP 79)" -HOMEPAGE="https://www.gentoo.org/downloads/signatures/" -if [[ ${PV} == 9999* ]] ; then - PROPERTIES="live" - - BDEPEND="net-misc/curl" -else - SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" -fi - -S="${WORKDIR}" - -LICENSE="public-domain" -SLOT="0" -IUSE="test" -RESTRICT="!test? ( test )" - -BDEPEND+=" - $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') - sec-keys/openpgp-keys-gentoo-auth - test? ( - app-crypt/gnupg - sys-apps/grep[pcre] - ) -" - -python_check_deps() { - python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" -} - -src_unpack() { - if [[ ${PV} == 9999* ]] ; then - curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die - else - default - fi -} - -src_compile() { - export GNUPGHOME="${T}"/.gnupg - - get_gpg_keyring_dir() { - if [[ ${PV} == 9999* ]] ; then - echo "${WORKDIR}" - else - echo "${DISTDIR}" - fi - } - - local mygpgargs=( - --no-autostart - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - mkdir "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - - # Convert the binary keyring into an armored one so we can process it - edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg - edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc - - # Now strip out the keys which are expired and/or missing a signature - # from our L2 developer authority key - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${WORKDIR}"/gentoo-developers.asc \ - "${WORKDIR}"/gentoo-developers-sanitised.asc -} - -src_test() { - export GNUPGHOME="${T}"/tests/.gnupg - - local mygpgargs=( - # We don't have --no-autostart here because we need - # to let it spawn an agent for the key generation. - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - # Check each of the keys to verify they're trusted by - # the L2 developer key. - mkdir -p "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - cd "${T}"/tests || die - - # First, grab the L1 key, and mark it as ultimately trusted. - edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc - edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt - - # Generate a temporary key which isn't signed by anything to check - # whether we're detecting unexpected keys. - # - # The test is whether this appears in the sanitised keyring we - # produce in src_compile (it should not be in there). - # - # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html - edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF - %echo Generating temporary key for testing... - - %no-protection - %transient-key - %pubring ${P}-ebuild-test-key.asc - - Key-Type: 1 - Key-Length: 2048 - Subkey-Type: 1 - Subkey-Length: 2048 - Name-Real: Larry The Cow - Name-Email: larry@example.com - Expire-Date: 0 - Handle: ${P}-ebuild-test-key - - %commit - %echo Temporary key generated! - EOF - - # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring - edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc - - # Sign a tiny file with the to-be-injected key for testing rejection below - echo "Hello world!" > "${T}"/tests/signme || die - edo gpg "${mygpgargs[@]}" -u "Larry The Cow " --sign "${T}"/tests/signme || die - - edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc - - # keyring-mangler.py should now produce a keyring *without* it - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${T}"/tests/tainted-keyring.asc \ - "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log - assert "Key mangling in tests failed?" - - # Check the log to verify the injected key got detected - grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" - - # gnupg doesn't have an easy way for us to actually just.. ask - # if a key is known via WoT. So, sign a file using the key - # we just made, and then try to gpg --verify it, and check exit code. - # - # Let's now double check by seeing if a file signed by the injected key - # is rejected. - if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then - die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" - fi - - # Bonus lame sanity check - edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log - assert "trustdb call failed!" - - check_trust_levels() { - local mode=${1} - - while IFS= read -r line; do - # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u - # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u - if [[ ${line} == *depth* ]] ; then - depth=$(echo ${line} | grep -Po "depth: [0-9]") - trust=$(echo ${line} | grep -Po "trust:.*") - - trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") - [[ ${trust_uncalculated} == 0 ]] || ${mode} - - trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") - [[ ${trust_insufficient} == 0 ]] || ${mode} - - trust_never=$(echo ${trust} | grep -Po "[0-9]n") - [[ ${trust_never} == 0 ]] || ${mode} - - trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") - [[ ${trust_marginal} == 0 ]] || ${mode} - - trust_full=$(echo ${trust} | grep -Po "[0-9]f") - [[ ${trust_full} != 0 ]] || ${mode} - - trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") - [[ ${trust_ultimate} == 1 ]] || ${mode} - - echo "${trust_uncalculated}, ${trust_insufficient}" - fi - done < "${T}"/tests/trustdb.log - } - - # First, check with the bad key still in the test keyring. - # This is supposed to fail, so we want it to return 1 - check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" - - # Now check without the bad key in the test keyring. - # This one should pass. - # - # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) - keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow " \ - | grep "^fpr" \ - | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') - - local key - for key in ${keys[@]} ; do - nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} - done - - edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow " - check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" - - gpgconf --kill gpg-agent || die -} - -src_install() { - insinto /usr/share/openpgp-keys - newins gentoo-developers-sanitised.asc gentoo-developers.asc - - # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? -} diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230424.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230424.ebuild deleted file mode 100644 index efd0694ab707..000000000000 --- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230424.ebuild +++ /dev/null @@ -1,233 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{9..11} ) -inherit edo python-any-r1 - -DESCRIPTION="Gentoo Authority Keys (GLEP 79)" -HOMEPAGE="https://www.gentoo.org/downloads/signatures/" -if [[ ${PV} == 9999* ]] ; then - PROPERTIES="live" - - BDEPEND="net-misc/curl" -else - SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" -fi - -S="${WORKDIR}" - -LICENSE="public-domain" -SLOT="0" -IUSE="test" -RESTRICT="!test? ( test )" - -BDEPEND+=" - $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') - sec-keys/openpgp-keys-gentoo-auth - test? ( - app-crypt/gnupg - sys-apps/grep[pcre] - ) -" - -python_check_deps() { - python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" -} - -src_unpack() { - if [[ ${PV} == 9999* ]] ; then - curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die - else - default - fi -} - -src_compile() { - export GNUPGHOME="${T}"/.gnupg - - get_gpg_keyring_dir() { - if [[ ${PV} == 9999* ]] ; then - echo "${WORKDIR}" - else - echo "${DISTDIR}" - fi - } - - local mygpgargs=( - --no-autostart - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - mkdir "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - - # Convert the binary keyring into an armored one so we can process it - edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg - edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc - - # Now strip out the keys which are expired and/or missing a signature - # from our L2 developer authority key - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${WORKDIR}"/gentoo-developers.asc \ - "${WORKDIR}"/gentoo-developers-sanitised.asc -} - -src_test() { - export GNUPGHOME="${T}"/tests/.gnupg - - local mygpgargs=( - # We don't have --no-autostart here because we need - # to let it spawn an agent for the key generation. - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - # Check each of the keys to verify they're trusted by - # the L2 developer key. - mkdir -p "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - cd "${T}"/tests || die - - # First, grab the L1 key, and mark it as ultimately trusted. - edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc - edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt - - # Generate a temporary key which isn't signed by anything to check - # whether we're detecting unexpected keys. - # - # The test is whether this appears in the sanitised keyring we - # produce in src_compile (it should not be in there). - # - # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html - edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF - %echo Generating temporary key for testing... - - %no-protection - %transient-key - %pubring ${P}-ebuild-test-key.asc - - Key-Type: 1 - Key-Length: 2048 - Subkey-Type: 1 - Subkey-Length: 2048 - Name-Real: Larry The Cow - Name-Email: larry@example.com - Expire-Date: 0 - Handle: ${P}-ebuild-test-key - - %commit - %echo Temporary key generated! - EOF - - # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring - edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc - - # Sign a tiny file with the to-be-injected key for testing rejection below - echo "Hello world!" > "${T}"/tests/signme || die - edo gpg "${mygpgargs[@]}" -u "Larry The Cow " --sign "${T}"/tests/signme || die - - edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc - - # keyring-mangler.py should now produce a keyring *without* it - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${T}"/tests/tainted-keyring.asc \ - "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log - assert "Key mangling in tests failed?" - - # Check the log to verify the injected key got detected - grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" - - # gnupg doesn't have an easy way for us to actually just.. ask - # if a key is known via WoT. So, sign a file using the key - # we just made, and then try to gpg --verify it, and check exit code. - # - # Let's now double check by seeing if a file signed by the injected key - # is rejected. - if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then - die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" - fi - - # Bonus lame sanity check - edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log - assert "trustdb call failed!" - - check_trust_levels() { - local mode=${1} - - while IFS= read -r line; do - # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u - # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u - if [[ ${line} == *depth* ]] ; then - depth=$(echo ${line} | grep -Po "depth: [0-9]") - trust=$(echo ${line} | grep -Po "trust:.*") - - trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") - [[ ${trust_uncalculated} == 0 ]] || ${mode} - - trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") - [[ ${trust_insufficient} == 0 ]] || ${mode} - - trust_never=$(echo ${trust} | grep -Po "[0-9]n") - [[ ${trust_never} == 0 ]] || ${mode} - - trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") - [[ ${trust_marginal} == 0 ]] || ${mode} - - trust_full=$(echo ${trust} | grep -Po "[0-9]f") - [[ ${trust_full} != 0 ]] || ${mode} - - trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") - [[ ${trust_ultimate} == 1 ]] || ${mode} - - echo "${trust_uncalculated}, ${trust_insufficient}" - fi - done < "${T}"/tests/trustdb.log - } - - # First, check with the bad key still in the test keyring. - # This is supposed to fail, so we want it to return 1 - check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" - - # Now check without the bad key in the test keyring. - # This one should pass. - # - # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) - keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow " \ - | grep "^fpr" \ - | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') - - local key - for key in ${keys[@]} ; do - nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} - done - - edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow " - check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" - - gpgconf --kill gpg-agent || die -} - -src_install() { - insinto /usr/share/openpgp-keys - newins gentoo-developers-sanitised.asc gentoo-developers.asc - - # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? -} diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230501.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230501.ebuild deleted file mode 100644 index efd0694ab707..000000000000 --- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230501.ebuild +++ /dev/null @@ -1,233 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{9..11} ) -inherit edo python-any-r1 - -DESCRIPTION="Gentoo Authority Keys (GLEP 79)" -HOMEPAGE="https://www.gentoo.org/downloads/signatures/" -if [[ ${PV} == 9999* ]] ; then - PROPERTIES="live" - - BDEPEND="net-misc/curl" -else - SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" -fi - -S="${WORKDIR}" - -LICENSE="public-domain" -SLOT="0" -IUSE="test" -RESTRICT="!test? ( test )" - -BDEPEND+=" - $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') - sec-keys/openpgp-keys-gentoo-auth - test? ( - app-crypt/gnupg - sys-apps/grep[pcre] - ) -" - -python_check_deps() { - python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" -} - -src_unpack() { - if [[ ${PV} == 9999* ]] ; then - curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die - else - default - fi -} - -src_compile() { - export GNUPGHOME="${T}"/.gnupg - - get_gpg_keyring_dir() { - if [[ ${PV} == 9999* ]] ; then - echo "${WORKDIR}" - else - echo "${DISTDIR}" - fi - } - - local mygpgargs=( - --no-autostart - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - mkdir "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - - # Convert the binary keyring into an armored one so we can process it - edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg - edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc - - # Now strip out the keys which are expired and/or missing a signature - # from our L2 developer authority key - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${WORKDIR}"/gentoo-developers.asc \ - "${WORKDIR}"/gentoo-developers-sanitised.asc -} - -src_test() { - export GNUPGHOME="${T}"/tests/.gnupg - - local mygpgargs=( - # We don't have --no-autostart here because we need - # to let it spawn an agent for the key generation. - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - # Check each of the keys to verify they're trusted by - # the L2 developer key. - mkdir -p "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - cd "${T}"/tests || die - - # First, grab the L1 key, and mark it as ultimately trusted. - edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc - edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt - - # Generate a temporary key which isn't signed by anything to check - # whether we're detecting unexpected keys. - # - # The test is whether this appears in the sanitised keyring we - # produce in src_compile (it should not be in there). - # - # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html - edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF - %echo Generating temporary key for testing... - - %no-protection - %transient-key - %pubring ${P}-ebuild-test-key.asc - - Key-Type: 1 - Key-Length: 2048 - Subkey-Type: 1 - Subkey-Length: 2048 - Name-Real: Larry The Cow - Name-Email: larry@example.com - Expire-Date: 0 - Handle: ${P}-ebuild-test-key - - %commit - %echo Temporary key generated! - EOF - - # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring - edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc - - # Sign a tiny file with the to-be-injected key for testing rejection below - echo "Hello world!" > "${T}"/tests/signme || die - edo gpg "${mygpgargs[@]}" -u "Larry The Cow " --sign "${T}"/tests/signme || die - - edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc - - # keyring-mangler.py should now produce a keyring *without* it - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${T}"/tests/tainted-keyring.asc \ - "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log - assert "Key mangling in tests failed?" - - # Check the log to verify the injected key got detected - grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" - - # gnupg doesn't have an easy way for us to actually just.. ask - # if a key is known via WoT. So, sign a file using the key - # we just made, and then try to gpg --verify it, and check exit code. - # - # Let's now double check by seeing if a file signed by the injected key - # is rejected. - if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then - die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" - fi - - # Bonus lame sanity check - edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log - assert "trustdb call failed!" - - check_trust_levels() { - local mode=${1} - - while IFS= read -r line; do - # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u - # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u - if [[ ${line} == *depth* ]] ; then - depth=$(echo ${line} | grep -Po "depth: [0-9]") - trust=$(echo ${line} | grep -Po "trust:.*") - - trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") - [[ ${trust_uncalculated} == 0 ]] || ${mode} - - trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") - [[ ${trust_insufficient} == 0 ]] || ${mode} - - trust_never=$(echo ${trust} | grep -Po "[0-9]n") - [[ ${trust_never} == 0 ]] || ${mode} - - trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") - [[ ${trust_marginal} == 0 ]] || ${mode} - - trust_full=$(echo ${trust} | grep -Po "[0-9]f") - [[ ${trust_full} != 0 ]] || ${mode} - - trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") - [[ ${trust_ultimate} == 1 ]] || ${mode} - - echo "${trust_uncalculated}, ${trust_insufficient}" - fi - done < "${T}"/tests/trustdb.log - } - - # First, check with the bad key still in the test keyring. - # This is supposed to fail, so we want it to return 1 - check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" - - # Now check without the bad key in the test keyring. - # This one should pass. - # - # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) - keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow " \ - | grep "^fpr" \ - | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') - - local key - for key in ${keys[@]} ; do - nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} - done - - edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow " - check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" - - gpgconf --kill gpg-agent || die -} - -src_install() { - insinto /usr/share/openpgp-keys - newins gentoo-developers-sanitised.asc gentoo-developers.asc - - # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? -}