diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2022-07-13 07:36:05 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2022-07-13 07:36:05 +0100 |
| commit | 5c0c70d5917e66743293789a6d6fd7d72250eb32 (patch) | |
| tree | f6738b2393c696bb8b19bd6ff0e52aafadf65101 /sec-keys/openpgp-keys-gentoo-developers | |
| parent | c5806fcd6b740ecbd62f4fb2e09d8c8dfa2966fc (diff) | |
gentoo auto-resync : 13:07:2022 - 07:36:05
Diffstat (limited to 'sec-keys/openpgp-keys-gentoo-developers')
5 files changed, 537 insertions, 0 deletions
diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest new file mode 100644 index 000000000000..6f9917743716 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest @@ -0,0 +1,6 @@ +AUX keyring-mangler.py 3005 BLAKE2B e5435432b79156c26120af950f46f9a916af7261a78b40081eb140e18b3fd4f0d2ce55cd2ed305bdd4f60b569edfb513c1151a6255838a750d37225715e87e4f SHA512 bd4dc3dee66c0f0b8b657da1fabfbda96ea03b77d1080fa1d07b14d2a9571fe91f7589131893b75548122e772678760c7722fd8a46e120c40d8dbb8cb4341dc9 +DIST openpgp-keys-gentoo-developers-20220711-active-devs.gpg 3237775 BLAKE2B 511e4ea8907593b5ed05c79a0bf6ae131856f0511f3f6a744f393a077ad25fe3f6780caac60d4f94965d4c0aa14debae068599f50920caeaad44303a844bf7ed SHA512 c0122037a3bfde1eec0c3ca7a303ff82f532c518427b34814c12949572c18537f617db22563c15d40fd41f0c94e6c50bcd3e0d3d7d1175400057aafbe41ae2b2 +DIST openpgp-keys-gentoo-developers-99999999-active-devs.gpg 3237775 BLAKE2B 511e4ea8907593b5ed05c79a0bf6ae131856f0511f3f6a744f393a077ad25fe3f6780caac60d4f94965d4c0aa14debae068599f50920caeaad44303a844bf7ed SHA512 c0122037a3bfde1eec0c3ca7a303ff82f532c518427b34814c12949572c18537f617db22563c15d40fd41f0c94e6c50bcd3e0d3d7d1175400057aafbe41ae2b2 +EBUILD openpgp-keys-gentoo-developers-20220711.ebuild 7250 BLAKE2B 4e1a2d11e880c008e0d52c8677403f646bb883177e9b46f6acf0ee9eedc02fb556bc8769154ab1bf2c7819fa698ab2b23492b0984af738bf8c6c11e1d4dee325 SHA512 369a181fcf1dc1a07a2250c0e023a4572dc79e46b28a9b9ce20c64891d40066dc584fb89f0efb11927971e7635d1ead5a9bc9acb605d61347dc6fbd7a3ccaa6b +EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7275 BLAKE2B c23960a12c13cc5d404dc225c11e840cc9214b4632418441ab4822d1040ed381efe3de3acbd68554249d8061d8b1e8342a786bcf76969bd2aa87933a49397cfc SHA512 4c0051b7850b38d1fd7449d276262004ee55fddabd70547c2a355f47a419beb97a12a462ab555c2fba9e5b96412ac01bfea020a0decb8b2cdc805150fad4ae37 +MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056 diff --git a/sec-keys/openpgp-keys-gentoo-developers/files/keyring-mangler.py b/sec-keys/openpgp-keys-gentoo-developers/files/keyring-mangler.py new file mode 100644 index 000000000000..3100e6226375 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/files/keyring-mangler.py @@ -0,0 +1,94 @@ +#!/usr/bin/env python +# +# Distributed under the terms of the GNU General Public License v2 +# +# Takes as input: +# 1. authority keys as gentoo-auth.asc (sec-keys/openpgp-keys-gentoo-auth); +# 2. a downloaded, unverified bundle of active developers from qa-reports.gentoo.org (https://qa-reports.gentoo.org/output/active-devs.gpg); +# but this must be converted to ASCII first(!), and +# 3. an output file (armored). +# +# Outputs armored keyring with all expired keys dropped and all keys without +# a signature from the L2 developer key dropped. +# +# Usage: python keyring-mangler.py <gentoo-auth.asc> <active-devs.gpg> <output for armored keys.asc> +from xml.dom import ValidationErr + +import gnupg +import os +import sys + +AUTHORITY_KEYS = [ + # Gentoo Authority Key L1 + "ABD00913019D6354BA1D9A132839FE0D796198B1", + # Gentoo Authority Key L2 for Services + "18F703D702B1B9591373148C55D3238EC050396E", + # Gentoo Authority Key L2 for Developers + "2C13823B8237310FA213034930D132FF0FF50EEB", +] + +L2_DEVELOPER_KEY = "30D132FF0FF50EEB" + +# logging.basicConfig(level=os.environ.get("LOGLEVEL", "DEBUG")) + +gentoo_auth = sys.argv[1] +active_devs = sys.argv[2] +armored_output = sys.argv[3] + +gpg = gnupg.GPG(verbose=False, gnupghome=os.environ["GNUPGHOME"]) +gpg.encoding = "utf-8" + +with open(gentoo_auth, "r", encoding="utf8") as keyring: + keys = keyring.read() + gpg.import_keys(keys) + +gpg.trust_keys([AUTHORITY_KEYS[0]], "TRUST_ULTIMATE") + +with open(active_devs, "r", encoding="utf8") as keyring: + keys = keyring.read() + gpg.import_keys(keys) + +# print(keys) +# print(gpg.list_keys) + +good_keys = [] + +for key in gpg.list_keys(sigs=True): + print(f"Checking key={key['keyid']}, uids={key['uids']}") + + # pprint.pprint(key) + + if key["fingerprint"] in AUTHORITY_KEYS: + # Just add this in. + good_keys.append(key["fingerprint"]) + continue + + # https://security.stackexchange.com/questions/41208/what-is-the-exact-meaning-of-this-gpg-output-regarding-trust + if key["trust"] == "e": + # If it's expired, drop the key, as we can't easily then + # verify it because of gpg limitations. + print( + f"Dropping expired {key['keyid']=}, {key['uids']=} (because this prevents validation)" + ) + continue + + if key["trust"] == "-": + print(f"Dropping {key['keyid']=}, {key['uids']=} because no trust calculated") + continue + + if key["trust"] != "f": + print( + f"Dropping {key['keyid']=}, {key['uids']=} because not calculated as fully trusted" + ) + continue + + # As a sanity check, make sure each key has a signature from + # the L2 developer signing key. + got_l2_signature = any(sig[0] == "30D132FF0FF50EEB" for sig in key["sigs"]) + if not got_l2_signature: + raise ValidationErr(f"{key['uids']=} lacks a signature from L2 key!") + + good_keys.append(key["fingerprint"]) + +with open(armored_output, "w", encoding="utf8") as keyring: + keyring.write(gpg.export_keys(good_keys)) diff --git a/sec-keys/openpgp-keys-gentoo-developers/metadata.xml b/sec-keys/openpgp-keys-gentoo-developers/metadata.xml new file mode 100644 index 000000000000..7efb31b9e7f2 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/metadata.xml @@ -0,0 +1,9 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer type="person"> + <email>sam@gentoo.org</email> + <name>Sam James</name> + </maintainer> + <stabilize-allarches/> +</pkgmetadata> diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild new file mode 100644 index 000000000000..4ff65eaaea85 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild @@ -0,0 +1,214 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{9..11} ) +inherit edo python-any-r1 + +DESCRIPTION="Gentoo Authority Keys (GLEP 79)" +HOMEPAGE="https://www.gentoo.org/downloads/signatures/" +if [[ ${PV} == 9999* ]] ; then + SRC_URI="https://qa-reports.gentoo.org/output/active-devs.gpg -> ${P}-active-devs.gpg" + PROPERTIES="live" +else + SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86" +fi + +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +IUSE="test" +RESTRICT="!test? ( test )" + +BDEPEND=" + $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') + sec-keys/openpgp-keys-gentoo-auth + test? ( + app-crypt/gnupg + ) +" + +python_check_deps() { + python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" +} + +src_compile() { + export GNUPGHOME="${T}"/.gnupg + + local mygpgargs=( + --no-autostart + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + mkdir "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + + # Convert the binary keyring into an armored one so we can process it + edo gpg "${mygpgargs[@]}" --import "${DISTDIR}"/${P}-active-devs.gpg + edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc + + # Now strip out the keys which are expired and/or missing a signature + # from our L2 developer authority key + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${WORKDIR}"/gentoo-developers.asc \ + "${WORKDIR}"/gentoo-developers-sanitised.asc +} + +src_test() { + export GNUPGHOME="${T}"/tests/.gnupg + + local mygpgargs=( + # We don't have --no-autostart here because we need + # to let it spawn an agent for the key generation. + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + # Check each of the keys to verify they're trusted by + # the L2 developer key. + mkdir -p "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + cd "${T}"/tests || die + + # First, grab the L1 key, and mark it as ultimately trusted. + edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc + edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt + + # Generate a temporary key which isn't signed by anything to check + # whether we're detecting unexpected keys. + # + # The test is whether this appears in the sanitised keyring we + # produce in src_compile (it should not be in there). + # + # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html + edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF + %echo Generating temporary key for testing... + + %no-protection + %transient-key + %pubring ${P}-ebuild-test-key.asc + + Key-Type: 1 + Key-Length: 2048 + Subkey-Type: 1 + Subkey-Length: 2048 + Name-Real: Larry The Cow + Name-Email: larry@example.com + Expire-Date: 0 + Handle: ${P}-ebuild-test-key + + %commit + %echo Temporary key generated! + EOF + + # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring + edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc + + # Sign a tiny file with the to-be-injected key for testing rejection below + echo "Hello world!" > "${T}"/tests/signme || die + edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die + + edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc + + # keyring-mangler.py should now produce a keyring *without* it + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${T}"/tests/tainted-keyring.asc \ + "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log + assert "Key mangling in tests failed?" + + # Check the log to verify the injected key got detected + grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" + + # gnupg doesn't have an easy way for us to actually just.. ask + # if a key is known via WoT. So, sign a file using the key + # we just made, and then try to gpg --verify it, and check exit code. + # + # Let's now double check by seeing if a file signed by the injected key + # is rejected. + if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then + die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" + fi + + # Bonus lame sanity check + edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log + assert "trustdb call failed!" + + check_trust_levels() { + local mode=${1} + + while IFS= read -r line; do + # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u + # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u + if [[ ${line} == *depth* ]] ; then + depth=$(echo ${line} | grep -Po "depth: [0-9]") + trust=$(echo ${line} | grep -Po "trust:.*") + + trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") + [[ ${trust_uncalculated} == 0 ]] || ${mode} + + trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") + [[ ${trust_insufficient} == 0 ]] || ${mode} + + trust_never=$(echo ${trust} | grep -Po "[0-9]n") + [[ ${trust_never} == 0 ]] || ${mode} + + trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") + [[ ${trust_marginal} == 0 ]] || ${mode} + + trust_full=$(echo ${trust} | grep -Po "[0-9]f") + [[ ${trust_full} != 0 ]] || ${mode} + + trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") + [[ ${trust_ultimate} == 1 ]] || ${mode} + + echo "${trust_uncalculated}, ${trust_insufficient}" + fi + done < "${T}"/tests/trustdb.log + } + + # First, check with the bad key still in the test keyring. + # This is supposed to fail, so we want it to return 1 + check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" + + # Now check without the bad key in the test keyring. + # This one should pass. + # + # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) + keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \ + | grep "^fpr" \ + | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') + + for key in ${keys[@]} ; do + nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} + done + + edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>" + check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" + + gpgconf --kill gpg-agent || die +} + +src_install() { + insinto /usr/share/openpgp-keys + newins gentoo-developers-sanitised.asc gentoo-developers.asc + + # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? +} diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild new file mode 100644 index 000000000000..e1500e00b9e0 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild @@ -0,0 +1,214 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{9..11} ) +inherit edo python-any-r1 + +DESCRIPTION="Gentoo Authority Keys (GLEP 79)" +HOMEPAGE="https://www.gentoo.org/downloads/signatures/" +if [[ ${PV} == 9999* ]] ; then + SRC_URI="https://qa-reports.gentoo.org/output/active-devs.gpg -> ${P}-active-devs.gpg" + PROPERTIES="live" +else + SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +fi + +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +IUSE="test" +RESTRICT="!test? ( test )" + +BDEPEND=" + $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') + sec-keys/openpgp-keys-gentoo-auth + test? ( + app-crypt/gnupg + ) +" + +python_check_deps() { + python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" +} + +src_compile() { + export GNUPGHOME="${T}"/.gnupg + + local mygpgargs=( + --no-autostart + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + mkdir "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + + # Convert the binary keyring into an armored one so we can process it + edo gpg "${mygpgargs[@]}" --import "${DISTDIR}"/${P}-active-devs.gpg + edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc + + # Now strip out the keys which are expired and/or missing a signature + # from our L2 developer authority key + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${WORKDIR}"/gentoo-developers.asc \ + "${WORKDIR}"/gentoo-developers-sanitised.asc +} + +src_test() { + export GNUPGHOME="${T}"/tests/.gnupg + + local mygpgargs=( + # We don't have --no-autostart here because we need + # to let it spawn an agent for the key generation. + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + # Check each of the keys to verify they're trusted by + # the L2 developer key. + mkdir -p "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + cd "${T}"/tests || die + + # First, grab the L1 key, and mark it as ultimately trusted. + edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc + edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt + + # Generate a temporary key which isn't signed by anything to check + # whether we're detecting unexpected keys. + # + # The test is whether this appears in the sanitised keyring we + # produce in src_compile (it should not be in there). + # + # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html + edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF + %echo Generating temporary key for testing... + + %no-protection + %transient-key + %pubring ${P}-ebuild-test-key.asc + + Key-Type: 1 + Key-Length: 2048 + Subkey-Type: 1 + Subkey-Length: 2048 + Name-Real: Larry The Cow + Name-Email: larry@example.com + Expire-Date: 0 + Handle: ${P}-ebuild-test-key + + %commit + %echo Temporary key generated! + EOF + + # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring + edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc + + # Sign a tiny file with the to-be-injected key for testing rejection below + echo "Hello world!" > "${T}"/tests/signme || die + edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die + + edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc + + # keyring-mangler.py should now produce a keyring *without* it + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${T}"/tests/tainted-keyring.asc \ + "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log + assert "Key mangling in tests failed?" + + # Check the log to verify the injected key got detected + grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" + + # gnupg doesn't have an easy way for us to actually just.. ask + # if a key is known via WoT. So, sign a file using the key + # we just made, and then try to gpg --verify it, and check exit code. + # + # Let's now double check by seeing if a file signed by the injected key + # is rejected. + if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then + die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" + fi + + # Bonus lame sanity check + edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log + assert "trustdb call failed!" + + check_trust_levels() { + local mode=${1} + + while IFS= read -r line; do + # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u + # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u + if [[ ${line} == *depth* ]] ; then + depth=$(echo ${line} | grep -Po "depth: [0-9]") + trust=$(echo ${line} | grep -Po "trust:.*") + + trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") + [[ ${trust_uncalculated} == 0 ]] || ${mode} + + trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") + [[ ${trust_insufficient} == 0 ]] || ${mode} + + trust_never=$(echo ${trust} | grep -Po "[0-9]n") + [[ ${trust_never} == 0 ]] || ${mode} + + trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") + [[ ${trust_marginal} == 0 ]] || ${mode} + + trust_full=$(echo ${trust} | grep -Po "[0-9]f") + [[ ${trust_full} != 0 ]] || ${mode} + + trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") + [[ ${trust_ultimate} == 1 ]] || ${mode} + + echo "${trust_uncalculated}, ${trust_insufficient}" + fi + done < "${T}"/tests/trustdb.log + } + + # First, check with the bad key still in the test keyring. + # This is supposed to fail, so we want it to return 1 + check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" + + # Now check without the bad key in the test keyring. + # This one should pass. + # + # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) + keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \ + | grep "^fpr" \ + | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') + + for key in ${keys[@]} ; do + nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} + done + + edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>" + check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" + + gpgconf --kill gpg-agent || die +} + +src_install() { + insinto /usr/share/openpgp-keys + newins gentoo-developers-sanitised.asc gentoo-developers.asc + + # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? +} |