* [gentoo-dev] [PATCH 2/2] verify-sig.eclass: Accept 1-out-of-n sigs on multisig files
2023-01-29 13:03 [gentoo-dev] [PATCH 1/2] verify-sig.eclass: Use gemato openpgp-verify-detached Michał Górny
@ 2023-01-29 13:03 ` Michał Górny
0 siblings, 0 replies; 3+ messages in thread
From: Michał Górny @ 2023-01-29 13:03 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
If a distfile has multiple detached signatures, pass verification
if at least one of them can be verified rather than requiring all
of them. This is particularly helpful for upstreams where the whole
set of release keys is hard to come by.
Closes: https://bugs.gentoo.org/873211
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/verify-sig.eclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 95e8b357893a..2c8311db49f9 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -146,7 +146,7 @@ verify-sig_verify_detached() {
# https://bugs.gentoo.org/854492
local -x TMPDIR=/tmp
gemato openpgp-verify-detached -K "${key}" \
- "${extra_args[@]}" \
+ "${extra_args[@]}" --no-require-all-good \
"${sig}" "${file}" ||
die "PGP signature verification failed"
;;
--
2.39.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-dev] [PATCH 1/2] verify-sig.eclass: Remove <dev-python/gemato-20 support
@ 2024-01-05 10:52 Michał Górny
2024-01-05 10:52 ` [gentoo-dev] [PATCH 2/2] verify-sig.eclass: Accept 1-out-of-n sigs on multisig files Michał Górny
0 siblings, 1 reply; 3+ messages in thread
From: Michał Górny @ 2024-01-05 10:52 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/verify-sig.eclass | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index d5f71669538e..31e3cca09379 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -68,7 +68,7 @@ case ${VERIFY_SIG_METHOD} in
BDEPEND="
verify-sig? (
app-crypt/gnupg
- >=app-portage/gemato-16
+ >=app-portage/gemato-20
)
"
;;
@@ -159,16 +159,10 @@ verify-sig_verify_detached() {
# gpg can't handle very long TMPDIR
# https://bugs.gentoo.org/854492
local -x TMPDIR=/tmp
- if has_version ">=app-portage/gemato-20"; then
- gemato openpgp-verify-detached -K "${key}" \
- "${extra_args[@]}" \
- "${sig}" "${file}" ||
- die "PGP signature verification failed"
- else
- gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
- gpg --verify "${sig}" "${file}" ||
- die "PGP signature verification failed"
- fi
+ gemato openpgp-verify-detached -K "${key}" \
+ "${extra_args[@]}" \
+ "${sig}" "${file}" ||
+ die "PGP signature verification failed"
;;
signify)
signify -V -p "${key}" -m "${file}" -x "${sig}" ||
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-dev] [PATCH 2/2] verify-sig.eclass: Accept 1-out-of-n sigs on multisig files
2024-01-05 10:52 [gentoo-dev] [PATCH 1/2] verify-sig.eclass: Remove <dev-python/gemato-20 support Michał Górny
@ 2024-01-05 10:52 ` Michał Górny
0 siblings, 0 replies; 3+ messages in thread
From: Michał Górny @ 2024-01-05 10:52 UTC (permalink / raw
To: gentoo-dev; +Cc: Michał Górny
If a distfile has multiple detached signatures, pass verification
if at least one of them can be verified rather than requiring all
of them. This is particularly helpful for upstreams where the whole
set of release keys is hard to come by.
Closes: https://bugs.gentoo.org/873211
Closes: https://github.com/gentoo/gentoo/pull/29224
Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
eclass/verify-sig.eclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 31e3cca09379..8b9e21b03e2f 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -160,7 +160,7 @@ verify-sig_verify_detached() {
# https://bugs.gentoo.org/854492
local -x TMPDIR=/tmp
gemato openpgp-verify-detached -K "${key}" \
- "${extra_args[@]}" \
+ "${extra_args[@]}" --no-require-all-good \
"${sig}" "${file}" ||
die "PGP signature verification failed"
;;
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-01-05 10:52 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-05 10:52 [gentoo-dev] [PATCH 1/2] verify-sig.eclass: Remove <dev-python/gemato-20 support Michał Górny
2024-01-05 10:52 ` [gentoo-dev] [PATCH 2/2] verify-sig.eclass: Accept 1-out-of-n sigs on multisig files Michał Górny
-- strict thread matches above, loose matches on Subject: below --
2023-01-29 13:03 [gentoo-dev] [PATCH 1/2] verify-sig.eclass: Use gemato openpgp-verify-detached Michał Górny
2023-01-29 13:03 ` [gentoo-dev] [PATCH 2/2] verify-sig.eclass: Accept 1-out-of-n sigs on multisig files Michał Górny
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox