diff options
author | V3n3RiX <venerix@koprulu.sector> | 2023-11-06 22:18:32 +0000 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2023-11-06 22:18:32 +0000 |
commit | 0e3680e4c16ff28839745eec6711889fc2e8d7e2 (patch) | |
tree | 6c53e6765a65faa5677ef9555e8b038b752cca85 /sec-keys | |
parent | 9afce155a599e5f4518f3c7913b6424ac13be12e (diff) |
gentoo auto-resync : 06:11:2023 - 22:18:31
Diffstat (limited to 'sec-keys')
-rw-r--r-- | sec-keys/Manifest.gz | bin | 22394 -> 22561 bytes | |||
-rw-r--r-- | sec-keys/openpgp-keys-aacid/Manifest | 4 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20220603.ebuild | 21 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20230313.ebuild | 21 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/Manifest | 4 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231023.ebuild | 233 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231030.ebuild | 233 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-jpakkane/Manifest | 3 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-jpakkane/metadata.xml | 12 | ||||
-rw-r--r-- | sec-keys/openpgp-keys-jpakkane/openpgp-keys-jpakkane-20231105.ebuild | 18 |
10 files changed, 503 insertions, 46 deletions
diff --git a/sec-keys/Manifest.gz b/sec-keys/Manifest.gz Binary files differindex d738bee6be0b..2247de14c009 100644 --- a/sec-keys/Manifest.gz +++ b/sec-keys/Manifest.gz diff --git a/sec-keys/openpgp-keys-aacid/Manifest b/sec-keys/openpgp-keys-aacid/Manifest index 6a9dd3233414..99c9b07adc71 100644 --- a/sec-keys/openpgp-keys-aacid/Manifest +++ b/sec-keys/openpgp-keys-aacid/Manifest @@ -1,7 +1,3 @@ -DIST openpgp-keys-aacid-20220603-0xCA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7.asc 26510 BLAKE2B a4f3f7863c66397ca9163df0437d8840f8b02f6e43811a31038ee7ad640ea57f01a5ee0c1c54e7efbda68ffdb4c1ffc1db42e82f6439e50f932bd8074392991a SHA512 d0d162c9dd31043cff393c3ec2ec65d37a904ad6f97e3a8509076c6fa2788feaf640dd6d928fa96ccae56a092b9608586a8f90d59af15e677ba5fe9418965d63 -DIST openpgp-keys-aacid-20230313-0xCA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7.asc 27634 BLAKE2B a202e2cde9df454b56a576925a1727da10ad1d10f1a9d0cdd76858c0fefcfd0d1648ca5e4c57bfd1dd6687a35c19d75dfd4805c81c69b8ec31d7343cf33c61b7 SHA512 43a8ff2cfd4aab44898d7e00d6c7b0c9f45c654506ebc4d68fb8ee7059ea479e937a285cd98c09fe9af1fad51f29bbba89b6614dddcc858bedd39f3af7f3e313 DIST openpgp-keys-aacid-20230907-0xCA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7.asc 28145 BLAKE2B f7cc653b4d147abb44091ed5a61a860bca5f3fce7b14ec09ab447343d6247537b9d3797b8d4af992187dddf399d2aef4d90ec93d28590da0f437320f05855ed9 SHA512 085e54e1d4fd355196c8eb04190f87fd00cc7bbfe87c933f3b564aba77310abf80bae10959effa8b69fa2d048d9a9c6408cbe78c92edbdbad0fa4b4ee8bf53dd -EBUILD openpgp-keys-aacid-20220603.ebuild 715 BLAKE2B 36c5ec1394834660d82c80bce76d66ada5524f363862c75957f86faa971ea0aabc5f1fe7fd6e91e52cd008c7c593a3809f2c140e275d1c5bdf6c3dcbf3e2bdde SHA512 9eb9fd306edc12e5e03c0c4048081cdd8e9c2cc1f52862de828174b2b26d03025b86dcca2d08326ec4d93c671ef402c94d0368c04d37f9d0dc34df0b8b7c5c73 -EBUILD openpgp-keys-aacid-20230313.ebuild 720 BLAKE2B c4f1072ecf1fc80ed6619b20c45e421eb4c6cef8c29d4e975fc281bf6f6a16a86d03f0314e8879a23f8ff92c4f6c042809255fa8a0f301d745ae3f8cd4c1ac64 SHA512 dd6145cfaf626ef16f1a55b698e2c295fa20cdf388656c0b40056014cccddeb990393d8f057624d209b50d838c3e7b419bf94d78f04a25814f1518faa2d79a91 EBUILD openpgp-keys-aacid-20230907.ebuild 726 BLAKE2B 4b51aad865da79ecc31b48db34bccd291026bab02089ee759eaed87c26c1528ec39a8b82d7439260eb6634c7157d130a2d85d1dbf0affb7e61076b35dcd81aa0 SHA512 9a86e6b892b876e424929aa205d1bcd5988b3026570fd25852b0961a2ebef0ba8441c2ff95da5a2c4485a3f75ae0b54c90841a04b61bce1772736aeb1317937d MISC metadata.xml 629 BLAKE2B b7cc93b83ed533024c82d0de48597ad3298575e6aaeee896302327d9f9dba420f9136df63907eddbb147e4bbf878d559dc52d291729836a7e4e6d326b97522c6 SHA512 30c1568e0d3d82386695dcfb7d859e20161350b9fb17436b9a6fe7f30e511b0eab20a1b9f9375a75c703d0a70f16edbe2f352081fb100acc50bc6bd2f1355e95 diff --git a/sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20220603.ebuild b/sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20220603.ebuild deleted file mode 100644 index 8a99b52bda4b..000000000000 --- a/sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20220603.ebuild +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DESCRIPTION="OpenPGP keys used by Albert Astals Cid" -HOMEPAGE="https://poppler.freedesktop.org/" -# Mirrored from https://pgp.surfnet.nl/pks/lookup?op=get&search=0xCA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7 -SRC_URI="https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-0xCA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7.asc" -S="${WORKDIR}" - -LICENSE="public-domain" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" - -src_install() { - local files=( ${A} ) - - insinto /usr/share/openpgp-keys - newins - aacid.asc < <(cat "${files[@]/#/${DISTDIR}/}" || die) -} diff --git a/sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20230313.ebuild b/sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20230313.ebuild deleted file mode 100644 index 3e5116f74bec..000000000000 --- a/sec-keys/openpgp-keys-aacid/openpgp-keys-aacid-20230313.ebuild +++ /dev/null @@ -1,21 +0,0 @@ -# Copyright 2022-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -DESCRIPTION="OpenPGP keys used by Albert Astals Cid" -HOMEPAGE="https://poppler.freedesktop.org/" -# Mirrored from https://pgp.surfnet.nl/pks/lookup?op=get&search=0xCA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7 -SRC_URI="https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}-0xCA262C6C83DE4D2FB28A332A3A6A4DB839EAA6D7.asc" -S="${WORKDIR}" - -LICENSE="public-domain" -SLOT="0" -KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86" - -src_install() { - local files=( ${A} ) - - insinto /usr/share/openpgp-keys - newins - aacid.asc < <(cat "${files[@]/#/${DISTDIR}/}" || die) -} diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest index eaaaee177cd6..9dbc016f7262 100644 --- a/sec-keys/openpgp-keys-gentoo-developers/Manifest +++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest @@ -5,11 +5,15 @@ DIST openpgp-keys-gentoo-developers-20230925-active-devs.gpg 3094306 BLAKE2B 0e7 DIST openpgp-keys-gentoo-developers-20231002-active-devs.gpg 3102348 BLAKE2B 13854c1e9daf64c055642cfcfd59dc77119ff3bb98e6a46ec8d4eee093be3c1d39ce284b524da2156e6d28b3b936c8c98de76a6fcca013ab519c6211d05773f9 SHA512 8ebe8d600d47a721ce5f08ad07317164f31c7ef540ed81be7555500e9ffc82fa9a46afeccd08b530936fff10318e094b4ba061108e84886fdb033f7d327eb690 DIST openpgp-keys-gentoo-developers-20231009-active-devs.gpg 3105229 BLAKE2B a5921932d982f3bab8e49100cbf086e684dd5d040f342c1a557455c13b8a8d7533cc7134597967dcfa5f9f3c7bc0a05d7a2889d2bf23f36a8470d8cc9efb1617 SHA512 eeeeaca4be15e20c38e32778b71e9395e8ebcaaf97fcef92a29cf4962d140b6c04b476fb09b197d0e037350450830fbdec4846d5064e3f5b13d860d034724e7d DIST openpgp-keys-gentoo-developers-20231016-active-devs.gpg 3112154 BLAKE2B d08ce599a3faa7dfdd84cca42110590449ac0ab6bb2e4b98b9f79fc9783a8a095d1d25f00e1b6b8c44b338a24de7cba24464206183a73a6a54da4e035dcd7dd0 SHA512 033373cb3f85adc37d29a5468c8d7e6c1a9fe67a7eb907b8abceeabdcc204d43dc6cae4c03fe67b2fcf156ff757785f2a72039002496e845b1f5bc33d085da7e +DIST openpgp-keys-gentoo-developers-20231023-active-devs.gpg 3115884 BLAKE2B 341492ad68bc6b3a1ae8602e3706d13e7916443f690cd7900c01c0c85031b3f031496dfc78c63675899885e92623b8ae1aed38f80edcb0ebcc15d08a6bc62abb SHA512 cff6a2251440ae99ad9522d192db58fd37d62d2f578f5401b2aea0507345c1eb11e3e25e15572409057457811a001fb383d38f746d02bdcf0c32ef7476c6c971 +DIST openpgp-keys-gentoo-developers-20231030-active-devs.gpg 3116604 BLAKE2B cf90b160f4ba7f3b0b2b7884f80f36e573893afbc4f3d6373993af7334c1f38426cedcfd9ebf4f6b38591568baa21afa5c243e2101887200bc51d205003fc3be SHA512 009f7b9eb9d8136406658544b559698a4b17c507ac91931463345c712780eee3935ad35aa9b9f5b5d85083ebc1ea646bf51877a165be184a9cbd8f73b8b1c3d7 EBUILD openpgp-keys-gentoo-developers-20230828.ebuild 7523 BLAKE2B 2b3f5c5c1694b782ac318bdfd0dc7941ce47ed8f60fc2d715b88bf1404cd59639797e65e45891fad1aba9b456c3d356d7cadc1b79a9919cce0a8b1587364f7e5 SHA512 a013e480059fb7b0de2da5581f8d6c01b9eecb0593751fda7b57b4d4e98db2ab6b21a2aaefce7aec0c0981e6dc22fd9fc202bea6dedaf170816bd05c1031311e EBUILD openpgp-keys-gentoo-developers-20230918.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 EBUILD openpgp-keys-gentoo-developers-20230925.ebuild 7523 BLAKE2B 2b3f5c5c1694b782ac318bdfd0dc7941ce47ed8f60fc2d715b88bf1404cd59639797e65e45891fad1aba9b456c3d356d7cadc1b79a9919cce0a8b1587364f7e5 SHA512 a013e480059fb7b0de2da5581f8d6c01b9eecb0593751fda7b57b4d4e98db2ab6b21a2aaefce7aec0c0981e6dc22fd9fc202bea6dedaf170816bd05c1031311e EBUILD openpgp-keys-gentoo-developers-20231002.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 EBUILD openpgp-keys-gentoo-developers-20231009.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 EBUILD openpgp-keys-gentoo-developers-20231016.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 +EBUILD openpgp-keys-gentoo-developers-20231023.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 +EBUILD openpgp-keys-gentoo-developers-20231030.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056 diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231023.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231023.ebuild new file mode 100644 index 000000000000..fda85a259ff6 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231023.ebuild @@ -0,0 +1,233 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..12} ) +inherit edo python-any-r1 + +DESCRIPTION="Gentoo Authority Keys (GLEP 79)" +HOMEPAGE="https://www.gentoo.org/downloads/signatures/" +if [[ ${PV} == 9999* ]] ; then + PROPERTIES="live" + + BDEPEND="net-misc/curl" +else + SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi + +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +IUSE="test" +RESTRICT="!test? ( test )" + +BDEPEND+=" + $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') + sec-keys/openpgp-keys-gentoo-auth + test? ( + app-crypt/gnupg + sys-apps/grep[pcre] + ) +" + +python_check_deps() { + python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" +} + +src_unpack() { + if [[ ${PV} == 9999* ]] ; then + curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die + else + default + fi +} + +src_compile() { + export GNUPGHOME="${T}"/.gnupg + + get_gpg_keyring_dir() { + if [[ ${PV} == 9999* ]] ; then + echo "${WORKDIR}" + else + echo "${DISTDIR}" + fi + } + + local mygpgargs=( + --no-autostart + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + mkdir "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + + # Convert the binary keyring into an armored one so we can process it + edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg + edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc + + # Now strip out the keys which are expired and/or missing a signature + # from our L2 developer authority key + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${WORKDIR}"/gentoo-developers.asc \ + "${WORKDIR}"/gentoo-developers-sanitised.asc +} + +src_test() { + export GNUPGHOME="${T}"/tests/.gnupg + + local mygpgargs=( + # We don't have --no-autostart here because we need + # to let it spawn an agent for the key generation. + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + # Check each of the keys to verify they're trusted by + # the L2 developer key. + mkdir -p "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + cd "${T}"/tests || die + + # First, grab the L1 key, and mark it as ultimately trusted. + edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc + edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt + + # Generate a temporary key which isn't signed by anything to check + # whether we're detecting unexpected keys. + # + # The test is whether this appears in the sanitised keyring we + # produce in src_compile (it should not be in there). + # + # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html + edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF + %echo Generating temporary key for testing... + + %no-protection + %transient-key + %pubring ${P}-ebuild-test-key.asc + + Key-Type: 1 + Key-Length: 2048 + Subkey-Type: 1 + Subkey-Length: 2048 + Name-Real: Larry The Cow + Name-Email: larry@example.com + Expire-Date: 0 + Handle: ${P}-ebuild-test-key + + %commit + %echo Temporary key generated! + EOF + + # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring + edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc + + # Sign a tiny file with the to-be-injected key for testing rejection below + echo "Hello world!" > "${T}"/tests/signme || die + edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die + + edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc + + # keyring-mangler.py should now produce a keyring *without* it + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${T}"/tests/tainted-keyring.asc \ + "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log + assert "Key mangling in tests failed?" + + # Check the log to verify the injected key got detected + grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" + + # gnupg doesn't have an easy way for us to actually just.. ask + # if a key is known via WoT. So, sign a file using the key + # we just made, and then try to gpg --verify it, and check exit code. + # + # Let's now double check by seeing if a file signed by the injected key + # is rejected. + if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then + die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" + fi + + # Bonus lame sanity check + edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log + assert "trustdb call failed!" + + check_trust_levels() { + local mode=${1} + + while IFS= read -r line; do + # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u + # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u + if [[ ${line} == *depth* ]] ; then + depth=$(echo ${line} | grep -Po "depth: [0-9]") + trust=$(echo ${line} | grep -Po "trust:.*") + + trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") + [[ ${trust_uncalculated} == 0 ]] || ${mode} + + trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") + [[ ${trust_insufficient} == 0 ]] || ${mode} + + trust_never=$(echo ${trust} | grep -Po "[0-9]n") + [[ ${trust_never} == 0 ]] || ${mode} + + trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") + [[ ${trust_marginal} == 0 ]] || ${mode} + + trust_full=$(echo ${trust} | grep -Po "[0-9]f") + [[ ${trust_full} != 0 ]] || ${mode} + + trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") + [[ ${trust_ultimate} == 1 ]] || ${mode} + + echo "${trust_uncalculated}, ${trust_insufficient}" + fi + done < "${T}"/tests/trustdb.log + } + + # First, check with the bad key still in the test keyring. + # This is supposed to fail, so we want it to return 1 + check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" + + # Now check without the bad key in the test keyring. + # This one should pass. + # + # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) + keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \ + | grep "^fpr" \ + | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') + + local key + for key in ${keys[@]} ; do + nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} + done + + edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>" + check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" + + gpgconf --kill gpg-agent || die +} + +src_install() { + insinto /usr/share/openpgp-keys + newins gentoo-developers-sanitised.asc gentoo-developers.asc + + # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? +} diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231030.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231030.ebuild new file mode 100644 index 000000000000..fda85a259ff6 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231030.ebuild @@ -0,0 +1,233 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..12} ) +inherit edo python-any-r1 + +DESCRIPTION="Gentoo Authority Keys (GLEP 79)" +HOMEPAGE="https://www.gentoo.org/downloads/signatures/" +if [[ ${PV} == 9999* ]] ; then + PROPERTIES="live" + + BDEPEND="net-misc/curl" +else + SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi + +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +IUSE="test" +RESTRICT="!test? ( test )" + +BDEPEND+=" + $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') + sec-keys/openpgp-keys-gentoo-auth + test? ( + app-crypt/gnupg + sys-apps/grep[pcre] + ) +" + +python_check_deps() { + python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" +} + +src_unpack() { + if [[ ${PV} == 9999* ]] ; then + curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die + else + default + fi +} + +src_compile() { + export GNUPGHOME="${T}"/.gnupg + + get_gpg_keyring_dir() { + if [[ ${PV} == 9999* ]] ; then + echo "${WORKDIR}" + else + echo "${DISTDIR}" + fi + } + + local mygpgargs=( + --no-autostart + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + mkdir "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + + # Convert the binary keyring into an armored one so we can process it + edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg + edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc + + # Now strip out the keys which are expired and/or missing a signature + # from our L2 developer authority key + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${WORKDIR}"/gentoo-developers.asc \ + "${WORKDIR}"/gentoo-developers-sanitised.asc +} + +src_test() { + export GNUPGHOME="${T}"/tests/.gnupg + + local mygpgargs=( + # We don't have --no-autostart here because we need + # to let it spawn an agent for the key generation. + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + # Check each of the keys to verify they're trusted by + # the L2 developer key. + mkdir -p "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + cd "${T}"/tests || die + + # First, grab the L1 key, and mark it as ultimately trusted. + edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc + edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt + + # Generate a temporary key which isn't signed by anything to check + # whether we're detecting unexpected keys. + # + # The test is whether this appears in the sanitised keyring we + # produce in src_compile (it should not be in there). + # + # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html + edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF + %echo Generating temporary key for testing... + + %no-protection + %transient-key + %pubring ${P}-ebuild-test-key.asc + + Key-Type: 1 + Key-Length: 2048 + Subkey-Type: 1 + Subkey-Length: 2048 + Name-Real: Larry The Cow + Name-Email: larry@example.com + Expire-Date: 0 + Handle: ${P}-ebuild-test-key + + %commit + %echo Temporary key generated! + EOF + + # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring + edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc + + # Sign a tiny file with the to-be-injected key for testing rejection below + echo "Hello world!" > "${T}"/tests/signme || die + edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die + + edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc + + # keyring-mangler.py should now produce a keyring *without* it + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${T}"/tests/tainted-keyring.asc \ + "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log + assert "Key mangling in tests failed?" + + # Check the log to verify the injected key got detected + grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" + + # gnupg doesn't have an easy way for us to actually just.. ask + # if a key is known via WoT. So, sign a file using the key + # we just made, and then try to gpg --verify it, and check exit code. + # + # Let's now double check by seeing if a file signed by the injected key + # is rejected. + if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then + die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" + fi + + # Bonus lame sanity check + edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log + assert "trustdb call failed!" + + check_trust_levels() { + local mode=${1} + + while IFS= read -r line; do + # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u + # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u + if [[ ${line} == *depth* ]] ; then + depth=$(echo ${line} | grep -Po "depth: [0-9]") + trust=$(echo ${line} | grep -Po "trust:.*") + + trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") + [[ ${trust_uncalculated} == 0 ]] || ${mode} + + trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") + [[ ${trust_insufficient} == 0 ]] || ${mode} + + trust_never=$(echo ${trust} | grep -Po "[0-9]n") + [[ ${trust_never} == 0 ]] || ${mode} + + trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") + [[ ${trust_marginal} == 0 ]] || ${mode} + + trust_full=$(echo ${trust} | grep -Po "[0-9]f") + [[ ${trust_full} != 0 ]] || ${mode} + + trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") + [[ ${trust_ultimate} == 1 ]] || ${mode} + + echo "${trust_uncalculated}, ${trust_insufficient}" + fi + done < "${T}"/tests/trustdb.log + } + + # First, check with the bad key still in the test keyring. + # This is supposed to fail, so we want it to return 1 + check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" + + # Now check without the bad key in the test keyring. + # This one should pass. + # + # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) + keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \ + | grep "^fpr" \ + | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') + + local key + for key in ${keys[@]} ; do + nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} + done + + edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>" + check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" + + gpgconf --kill gpg-agent || die +} + +src_install() { + insinto /usr/share/openpgp-keys + newins gentoo-developers-sanitised.asc gentoo-developers.asc + + # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? +} diff --git a/sec-keys/openpgp-keys-jpakkane/Manifest b/sec-keys/openpgp-keys-jpakkane/Manifest new file mode 100644 index 000000000000..9b6384cc9aa4 --- /dev/null +++ b/sec-keys/openpgp-keys-jpakkane/Manifest @@ -0,0 +1,3 @@ +DIST jpakkane-20231105.gpg 3918 BLAKE2B a4e9db8a302d4271c8692e74e78027321b8603376fa44c2813806a91200523eed507ef8c24b0fdcbfe239093f7b3795c6a47a439dd2745b6aaae71a726a4bc04 SHA512 55a75551780d14617baf9a39a56c267cf6d83f11468400d19eefec5328c8246158b638defc1d5fab5583f4e7a79215935c18bf7846913a879e991356cd49cf2b +EBUILD openpgp-keys-jpakkane-20231105.ebuild 584 BLAKE2B 4032618939756bab686d12dca7de16b63a6cd4237311254247e7b2d37e0e237ab1f247ed8942b8cb382db25626bb25d7082e2ae1b29d22c07df4af5b6171bb6a SHA512 5adb19779a29db3c7afa0a9095a8266cfce1a82993af91b73b85b6c812aafed14e26258786b06dd653ed1a99e3130e0f8b10c956214786ca80340b7342c87a88 +MISC metadata.xml 397 BLAKE2B fe5f6ec010a2c933ab8f094f4d0b5eed5874a6f862502ddca50d44bfb25d493f87c21cceb18f39f592e1a93660735da8f41ba93008619f6e702342c661d6505c SHA512 6415963d0c1545e4e4b6464e231cf7f7c7fe20d2088ea8c55e05c168777f4a8fa9405a7fdd8f552d4b0f87fce7dff3a1232f8247f4a530cc94bc61d70b98b5c1 diff --git a/sec-keys/openpgp-keys-jpakkane/metadata.xml b/sec-keys/openpgp-keys-jpakkane/metadata.xml new file mode 100644 index 000000000000..667a16a60d08 --- /dev/null +++ b/sec-keys/openpgp-keys-jpakkane/metadata.xml @@ -0,0 +1,12 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer type="person" proxied="yes"> + <email>eschwartz93@gmail.com</email> + <name>Eli Schwartz</name> + </maintainer> + <maintainer type="project" proxied="proxy"> + <email>proxy-maint@gentoo.org</email> + <name>Proxy Maintainers</name> + </maintainer> +</pkgmetadata> diff --git a/sec-keys/openpgp-keys-jpakkane/openpgp-keys-jpakkane-20231105.ebuild b/sec-keys/openpgp-keys-jpakkane/openpgp-keys-jpakkane-20231105.ebuild new file mode 100644 index 000000000000..c9414901fdba --- /dev/null +++ b/sec-keys/openpgp-keys-jpakkane/openpgp-keys-jpakkane-20231105.ebuild @@ -0,0 +1,18 @@ +# Copyright 2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="OpenPGP keys used by Jussi Pakkanen" +HOMEPAGE="https://github.com/jpakkane" +SRC_URI="https://github.com/jpakkane.gpg -> jpakkane-${PV}.gpg" +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + +src_install() { + insinto /usr/share/openpgp-keys + newins "${DISTDIR}"/jpakkane-${PV}.gpg jpakkane.gpg +} |