From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id B423A158009 for ; Sat, 24 Jun 2023 05:02:05 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F0770E086A; Sat, 24 Jun 2023 05:02:04 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D75E9E086A for ; Sat, 24 Jun 2023 05:02:04 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id EEFE2340831 for ; Sat, 24 Jun 2023 05:02:03 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 57537A9F for ; Sat, 24 Jun 2023 05:02:02 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1687582909.a6c4569a99b46b13cebe2394b6a1d94c4777c25d.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sec-keys/openpgp-keys-gentoo-developers/ X-VCS-Repository: repo/gentoo X-VCS-Files: sec-keys/openpgp-keys-gentoo-developers/Manifest sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230619.ebuild X-VCS-Directories: sec-keys/openpgp-keys-gentoo-developers/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: a6c4569a99b46b13cebe2394b6a1d94c4777c25d X-VCS-Branch: master Date: Sat, 24 Jun 2023 05:02:02 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 57b066dc-fff3-4553-a517-b0e17cd0a491 X-Archives-Hash: c385341fd87dbfadcb70234e87c3492b commit: a6c4569a99b46b13cebe2394b6a1d94c4777c25d Author: Sam James gentoo org> AuthorDate: Sat Jun 24 04:58:28 2023 +0000 Commit: Sam James gentoo org> CommitDate: Sat Jun 24 05:01:49 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6c4569a sec-keys/openpgp-keys-gentoo-developers: add 20230619 Signed-off-by: Sam James gentoo.org> sec-keys/openpgp-keys-gentoo-developers/Manifest | 1 + .../openpgp-keys-gentoo-developers-20230619.ebuild | 233 +++++++++++++++++++++ 2 files changed, 234 insertions(+) diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest index 98ae84c85c89..d22ad0788d5f 100644 --- a/sec-keys/openpgp-keys-gentoo-developers/Manifest +++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest @@ -1,3 +1,4 @@ DIST openpgp-keys-gentoo-developers-20230403-active-devs.gpg 3033398 BLAKE2B 233549fa600d855df1f4130224c63b10d0df3312886bef1c0486553db3025554a4fff7af104a3f0869390d53837a8d0182d830432e855273da28c753ea579d7e SHA512 33264b9ef002656f5c58dc2b2ff568d01b624c68e2e42db0d388b9a99b45c2d605df0d5db7b5029c0946f524fa7168252ba87908336e6f9ad0717c20d43cd112 DIST openpgp-keys-gentoo-developers-20230605-active-devs.gpg 3090284 BLAKE2B 38e913e1d45a4fe18135c25e8f887400ff6a19fd93a3a5d645aae9635e4ad9251ed13c4f2a8b78bf6b0cc54acb0c8a96d7869bb9f2ab62124c9f41a614a0e857 SHA512 a94493497a2aa389fbd8b2675990036cc6d09a9563a4fe8e7fa15f2b74eead7a55189315c97dbb68ce7a047abe4111d6d1dea39ca4ba357c11465bde99e9575f DIST openpgp-keys-gentoo-developers-20230612-active-devs.gpg 3093884 BLAKE2B bd8ca7f39b9b31187479f73031358af3285b5ca320794e660af3f93750c38e75be4e1d19fafc5735fc46d1ba6bebdc82a5e1954e72b1f2bf01b3e348ba0389a1 SHA512 8a98a086f6696632552e4b6a40168bafffae85f8da8fc9a993125c0c03fb45174fa46f05572c3c17d3effe3a77ccaeef5ab34cf1ebd430d0bbfff140ecf617c1 +DIST openpgp-keys-gentoo-developers-20230619-active-devs.gpg 3104963 BLAKE2B 1a23171097c697d2991617b6e0920cfed2d78f111241436251db1ed97e1a79ed5649931a788013a85402f928f5e348620d99144e6ea50f9639869bfe1a477766 SHA512 3b82bdcffc2663891bf962b566754cd15608c0227ef928b357133b87576c82f9e31b082e5969192ddbf5cf02d854483b96bf81386c7369c074537edefa62d35e diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230619.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230619.ebuild new file mode 100644 index 000000000000..fda85a259ff6 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230619.ebuild @@ -0,0 +1,233 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..12} ) +inherit edo python-any-r1 + +DESCRIPTION="Gentoo Authority Keys (GLEP 79)" +HOMEPAGE="https://www.gentoo.org/downloads/signatures/" +if [[ ${PV} == 9999* ]] ; then + PROPERTIES="live" + + BDEPEND="net-misc/curl" +else + SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi + +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +IUSE="test" +RESTRICT="!test? ( test )" + +BDEPEND+=" + $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') + sec-keys/openpgp-keys-gentoo-auth + test? ( + app-crypt/gnupg + sys-apps/grep[pcre] + ) +" + +python_check_deps() { + python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" +} + +src_unpack() { + if [[ ${PV} == 9999* ]] ; then + curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die + else + default + fi +} + +src_compile() { + export GNUPGHOME="${T}"/.gnupg + + get_gpg_keyring_dir() { + if [[ ${PV} == 9999* ]] ; then + echo "${WORKDIR}" + else + echo "${DISTDIR}" + fi + } + + local mygpgargs=( + --no-autostart + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + mkdir "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + + # Convert the binary keyring into an armored one so we can process it + edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg + edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc + + # Now strip out the keys which are expired and/or missing a signature + # from our L2 developer authority key + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${WORKDIR}"/gentoo-developers.asc \ + "${WORKDIR}"/gentoo-developers-sanitised.asc +} + +src_test() { + export GNUPGHOME="${T}"/tests/.gnupg + + local mygpgargs=( + # We don't have --no-autostart here because we need + # to let it spawn an agent for the key generation. + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + # Check each of the keys to verify they're trusted by + # the L2 developer key. + mkdir -p "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + cd "${T}"/tests || die + + # First, grab the L1 key, and mark it as ultimately trusted. + edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc + edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt + + # Generate a temporary key which isn't signed by anything to check + # whether we're detecting unexpected keys. + # + # The test is whether this appears in the sanitised keyring we + # produce in src_compile (it should not be in there). + # + # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html + edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF + %echo Generating temporary key for testing... + + %no-protection + %transient-key + %pubring ${P}-ebuild-test-key.asc + + Key-Type: 1 + Key-Length: 2048 + Subkey-Type: 1 + Subkey-Length: 2048 + Name-Real: Larry The Cow + Name-Email: larry@example.com + Expire-Date: 0 + Handle: ${P}-ebuild-test-key + + %commit + %echo Temporary key generated! + EOF + + # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring + edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc + + # Sign a tiny file with the to-be-injected key for testing rejection below + echo "Hello world!" > "${T}"/tests/signme || die + edo gpg "${mygpgargs[@]}" -u "Larry The Cow " --sign "${T}"/tests/signme || die + + edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc + + # keyring-mangler.py should now produce a keyring *without* it + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${T}"/tests/tainted-keyring.asc \ + "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log + assert "Key mangling in tests failed?" + + # Check the log to verify the injected key got detected + grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" + + # gnupg doesn't have an easy way for us to actually just.. ask + # if a key is known via WoT. So, sign a file using the key + # we just made, and then try to gpg --verify it, and check exit code. + # + # Let's now double check by seeing if a file signed by the injected key + # is rejected. + if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then + die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" + fi + + # Bonus lame sanity check + edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log + assert "trustdb call failed!" + + check_trust_levels() { + local mode=${1} + + while IFS= read -r line; do + # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u + # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u + if [[ ${line} == *depth* ]] ; then + depth=$(echo ${line} | grep -Po "depth: [0-9]") + trust=$(echo ${line} | grep -Po "trust:.*") + + trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") + [[ ${trust_uncalculated} == 0 ]] || ${mode} + + trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") + [[ ${trust_insufficient} == 0 ]] || ${mode} + + trust_never=$(echo ${trust} | grep -Po "[0-9]n") + [[ ${trust_never} == 0 ]] || ${mode} + + trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") + [[ ${trust_marginal} == 0 ]] || ${mode} + + trust_full=$(echo ${trust} | grep -Po "[0-9]f") + [[ ${trust_full} != 0 ]] || ${mode} + + trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") + [[ ${trust_ultimate} == 1 ]] || ${mode} + + echo "${trust_uncalculated}, ${trust_insufficient}" + fi + done < "${T}"/tests/trustdb.log + } + + # First, check with the bad key still in the test keyring. + # This is supposed to fail, so we want it to return 1 + check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" + + # Now check without the bad key in the test keyring. + # This one should pass. + # + # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) + keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow " \ + | grep "^fpr" \ + | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') + + local key + for key in ${keys[@]} ; do + nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} + done + + edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow " + check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" + + gpgconf --kill gpg-agent || die +} + +src_install() { + insinto /usr/share/openpgp-keys + newins gentoo-developers-sanitised.asc gentoo-developers.asc + + # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? +}