gentoo auto-resync : 15:07:2024 - 12:27:33

author: V3n3RiX <venerix@koprulu.sector> 2024-07-15 12:27:33 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2024-07-15 12:27:33 +0100
commit: 868fd5dc8aab84930cfaa5252b8be06b35552765 (patch)
tree: 0c0cebf818c30c6f871f00ce1e7599775a7e561c /sec-keys
parent: f7adcd4ee556b2c3a420239c13fb74113d791f6a (diff)
8 files changed, 253 insertions, 35 deletions
diff --git a/sec-keys/Manifest.gz b/sec-keys/Manifest.gz
index 57a6958b8940..fdcb641b41f0 100644
--- a/sec-keys/Manifest.gz
+++ b/sec-keys/Manifest.gz
diff --git a/sec-keys/openpgp-keys-gentoo-auth/Manifest b/sec-keys/openpgp-keys-gentoo-auth/Manifest
index 23f241fd35c6..6aa9f1667459 100644
--- a/sec-keys/openpgp-keys-gentoo-auth/Manifest
+++ b/sec-keys/openpgp-keys-gentoo-auth/Manifest
@@ -1,5 +1,3 @@
-DIST gentoo-auth.asc.20230329.gz 3371 BLAKE2B 2d4940e50c8b415f48a0fe479b95dbe1f2ab83af8eceda582ecd9386fada54126cce2fa7e509611fe8d51b14dc1638b3aa19f87fbe2b7bb8dffc91657ead2a48 SHA512 b516104e6affbcdced8aba100a0eadb82b1fc3a6cc8ed907486e30c44e78f77dabd6dc1e02383537d13a380247f315b7c53711e3b5994242a84afeca4af755fd
 DIST gentoo-auth.asc.20240703.gz 3348 BLAKE2B 0594bffecc718e0314a04f6a85c2d77d9a70d910eeea7dd1c87ba3381f0e4c0670975e2489efd289287326de0fee9284916dd60547e1cf2acf838b5da70fb0e4 SHA512 a491cac10e9a7a182b0e886ab94926f340eb1bd124142737097c7f0af8e713a4586a595638d6b08c3ccf6c873cbe9aae2dbe635b51d2b2c7adfaefdcbbc56fa1
-EBUILD openpgp-keys-gentoo-auth-20230329.ebuild 786 BLAKE2B 10ffdd9503faffaaf806befb7fa73600cf9dbb2636d8164c7c098f88b627bc78e24f4b7b22d29780ea4f65bb64765d55d4097ddd311db3cf7142560085b74e34 SHA512 1f21a9f6eb74ecab1479726c8e2c6870ac28d3d799b730cdaaab2ec28b6cd6e2a761b94644d6edb9ae177cbbef296c492303337587432bf1839455656a9b92e8
 EBUILD openpgp-keys-gentoo-auth-20240703.ebuild 788 BLAKE2B a05e6b79d8555b94b9664b86b0982dae0ccf441a06e0f18a32db9111bb9091f065e7b4718a0f11685d1ad3ebdd45863c1ef5f95e714c732435c21b15ec2f3340 SHA512 3245acc47caf0a52fa40bcc4244659d5360cb74f1308f4a957849aa305b36a5f53e9cedf27b6e864306e22a75c20cbe6a7bd97cdbd59b75131fdd39c30eb30e6
 MISC metadata.xml 272 BLAKE2B 583272860b0b9615e8d57fed7ced1a93035bf0c25285d230412ac7af2e48a8156c2e9d9c0581da80f913a2748eb76579b64648fd1e22ce0bc89da66aafa30809 SHA512 19c90c888b76564e32674364a753ba2d6a0b9ce6f3a97f45bb876c32f83c8206e6ec318e0960747b2003a4c3a426994f25c6b83da8b294d575f45e80c6105d89
diff --git a/sec-keys/openpgp-keys-gentoo-auth/openpgp-keys-gentoo-auth-20230329.ebuild b/sec-keys/openpgp-keys-gentoo-auth/openpgp-keys-gentoo-auth-20230329.ebuild
deleted file mode 100644
index b751e4d95566..000000000000
--- a/sec-keys/openpgp-keys-gentoo-auth/openpgp-keys-gentoo-auth-20230329.ebuild
+++ /dev/null
@@ -1,27 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
-SRC_URI="https://dev.gentoo.org/~mgorny/dist/openpgp-keys/gentoo-auth.asc.${PV}.gz"
-
-LICENSE="public-domain"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
-
-S=${WORKDIR}
-
-# Keys included:
-# ABD00913019D6354BA1D9A132839FE0D796198B1
-# 18F703D702B1B9591373148C55D3238EC050396E
-# 2C13823B8237310FA213034930D132FF0FF50EEB
-
-src_install() {
-	insinto /usr/share/openpgp-keys
-	newins "gentoo-auth.asc.${PV}" gentoo-auth.asc
-	newins - gentoo-auth-ownertrust.txt <<-EOF
-		ABD00913019D6354BA1D9A132839FE0D796198B1:6:
-	EOF
-}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest
index 8b15b403f0ea..b76547df171b 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest
+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest
@@ -1,5 +1,7 @@
-AUX keyring-mangler.py 3061 BLAKE2B a5acb20346c8eb4b036773562625ac39469d378a343c8bfcbb23391a61876f57aae7015f2d78e468a606330275686f2187d7a8a81a7d940a1e8329c2ea916a62 SHA512 60f7174319f77484eb389486e6f74c23a27d8211128d261497b3d095e3f7a8744c5402c29ae84a6e4833b77406e301dfd5c7b4cf8d5ffb062e298f177a1ff052
+AUX keyring-mangler.py 3166 BLAKE2B 113976354d1105285106298e2445a120fa81c57e5914d23687ee5e24f1fa4c3443afa406be327001a1119fddfffaca85fab754b475134239f3bcf761b6ca6ac4 SHA512 5ad20ba2765ad1ce3e3d9ab14a2a5a95f0e32cab6e3052001dab32f4578765dc74dc27684ff4a98d937acea5f12a0bc616be52749de88d6e53931f834ae32785
 DIST openpgp-keys-gentoo-developers-20240422-active-devs.gpg 3204733 BLAKE2B b761e0f3f281545748eb8719b3ddd8eb55444090749218a579a94fddfafc735e3d36461662699fb1081fa70913d4449e51460f83d6ad10206c64ccdd313578e6 SHA512 b83232b2ed135bec63b5437aa49812b620de2de4d77874bc19b6d3caf2d7c0d295d58583b1cdc706ddc4e6d415c3391e6c6d1dc68b48556c865f36670575affe
-EBUILD openpgp-keys-gentoo-developers-20240422.ebuild 7523 BLAKE2B fc3aea669deecb63c8cf32445f3cecf2e5a03b58a97af4095e3419f147af43d8b69bbef3b706ee51a6ad6098717979c5effa72d1b2b60585496b15af668f2025 SHA512 6ed6217d6d866706d6206b0480d4c58ce51a12c9a2f28e4665972cf004ba672b86ae7620a12d8de76e59895d63289d69a80d77ada89d3e1edb866e705676c2ad
-EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840
+DIST openpgp-keys-gentoo-developers-20240708-active-devs.gpg 3122417 BLAKE2B f1a1727be347f66b9114f55dba31ed461785a5e8c633415896bb072fd5a6239db526e68d0ac3423e7cd6336a23542c9e48a02f36e18f83f0c7bd177ffd1fb1f8 SHA512 02626833edfb7ff943b96f8885df22ca24cec1a0ea7c9d23d702deb79b921bbe8fb8640d3f2275ffc413924b8f8a079a277b155157a142f519298e3771513f9e
+EBUILD openpgp-keys-gentoo-developers-20240422.ebuild 7711 BLAKE2B b5fc8a6a9da7e37d0090b587d789a632e0155de3d56b6ac1a85d301579f10f8b7ba1c28f07ee0ed4566679528e39f3be2a2f078f6ea61e2cfcf8a179dce23418 SHA512 85484b1969992949d2879c1ab0ccef4bf9691167232343d7cc5ac9bcc9eb98924355799d05dc9ed79fe71b086f11af74a0f92b4de6b9890c17b6435545b0f486
+EBUILD openpgp-keys-gentoo-developers-20240708.ebuild 7719 BLAKE2B d5516ddfc5e897b6b4ec3332af99fb7d5ff87c2962fefaa607bc1985455f862a049d311b4f75ea86b152c2934719c72b06cbc9beb62f6ae88661dddc3c9e358d SHA512 733d9c414421b5d9d0aa0719408d347dd26a6f4d762aa1f13ea261b15d8274ff52034e0015376e35d579936ab1df29478a45b944cd6f078af5c6744391826b46
+EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7719 BLAKE2B d5516ddfc5e897b6b4ec3332af99fb7d5ff87c2962fefaa607bc1985455f862a049d311b4f75ea86b152c2934719c72b06cbc9beb62f6ae88661dddc3c9e358d SHA512 733d9c414421b5d9d0aa0719408d347dd26a6f4d762aa1f13ea261b15d8274ff52034e0015376e35d579936ab1df29478a45b944cd6f078af5c6744391826b46
 MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056
diff --git a/sec-keys/openpgp-keys-gentoo-developers/files/keyring-mangler.py b/sec-keys/openpgp-keys-gentoo-developers/files/keyring-mangler.py
index 90b4ff68357e..81e7886af56e 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/files/keyring-mangler.py
+++ b/sec-keys/openpgp-keys-gentoo-developers/files/keyring-mangler.py
@@ -91,5 +91,8 @@ for key in gpg.list_keys(sigs=True):
 
     good_keys.append(key["fingerprint"])
 
+if len(good_keys) <= len(AUTHORITY_KEYS):
+    raise RuntimeError("No valid developer keys were found!")
+
 with open(armored_output, "w", encoding="utf8") as keyring:
     keyring.write(gpg.export_keys(good_keys))
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240422.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240422.ebuild
index ab693b185062..f0c8cb1b5c51 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240422.ebuild
+++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240422.ebuild
@@ -26,7 +26,7 @@ RESTRICT="!test? ( test )"
 
 BDEPEND+="
 	$(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
-	sec-keys/openpgp-keys-gentoo-auth
+	>=sec-keys/openpgp-keys-gentoo-auth-20240703
 	test? (
 		app-crypt/gnupg
 		sys-apps/grep[pcre]
@@ -143,6 +143,9 @@ src_test() {
 	echo "Hello world!" > "${T}"/tests/signme || die
 	edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
 
+	# keyring-mangler will fail with no valid keys so import the sanitised list from src_compile.
+	edo gpg "${mygpgargs[@]}" --import "${WORKDIR}"/gentoo-developers-sanitised.asc
+
 	edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
 
 	# keyring-mangler.py should now produce a keyring *without* it
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240708.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240708.ebuild
new file mode 100644
index 000000000000..8b5c37e28529
--- /dev/null
+++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20240708.ebuild
@@ -0,0 +1,236 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{10..12} )
+inherit edo python-any-r1
+
+DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
+HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
+if [[ ${PV} == 9999* ]] ; then
+	PROPERTIES="live"
+
+	BDEPEND="net-misc/curl"
+else
+	SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+fi
+
+S="${WORKDIR}"
+
+LICENSE="public-domain"
+SLOT="0"
+IUSE="test"
+RESTRICT="!test? ( test )"
+
+BDEPEND+="
+	$(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
+	>=sec-keys/openpgp-keys-gentoo-auth-20240703
+	test? (
+		app-crypt/gnupg
+		sys-apps/grep[pcre]
+	)
+"
+
+python_check_deps() {
+	python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
+}
+
+src_unpack() {
+	if [[ ${PV} == 9999* ]] ; then
+		curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
+	else
+		default
+	fi
+}
+
+src_compile() {
+	export GNUPGHOME="${T}"/.gnupg
+
+	get_gpg_keyring_dir() {
+		if [[ ${PV} == 9999* ]] ; then
+			echo "${WORKDIR}"
+		else
+			echo "${DISTDIR}"
+		fi
+	}
+
+	local mygpgargs=(
+		--no-autostart
+		--no-default-keyring
+		--homedir "${GNUPGHOME}"
+	)
+
+	# From verify-sig.eclass:
+	# "GPG upstream knows better than to follow the spec, so we can't
+	# override this directory.  However, there is a clean fallback
+	# to GNUPGHOME."
+	addpredict /run/user
+
+	mkdir "${GNUPGHOME}" || die
+	chmod 700 "${GNUPGHOME}" || die
+
+	# Convert the binary keyring into an armored one so we can process it
+	edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
+	edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
+
+	# Now strip out the keys which are expired and/or missing a signature
+	# from our L2 developer authority key
+	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
+			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
+			"${WORKDIR}"/gentoo-developers.asc \
+			"${WORKDIR}"/gentoo-developers-sanitised.asc
+}
+
+src_test() {
+	export GNUPGHOME="${T}"/tests/.gnupg
+
+	local mygpgargs=(
+		# We don't have --no-autostart here because we need
+		# to let it spawn an agent for the key generation.
+		--no-default-keyring
+		--homedir "${GNUPGHOME}"
+	)
+
+	# From verify-sig.eclass:
+	# "GPG upstream knows better than to follow the spec, so we can't
+	# override this directory.  However, there is a clean fallback
+	# to GNUPGHOME."
+	addpredict /run/user
+
+	# Check each of the keys to verify they're trusted by
+	# the L2 developer key.
+	mkdir -p "${GNUPGHOME}" || die
+	chmod 700 "${GNUPGHOME}" || die
+	cd "${T}"/tests || die
+
+	# First, grab the L1 key, and mark it as ultimately trusted.
+	edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
+	edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
+
+	# Generate a temporary key which isn't signed by anything to check
+	# whether we're detecting unexpected keys.
+	#
+	# The test is whether this appears in the sanitised keyring we
+	# produce in src_compile (it should not be in there).
+	#
+	# https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
+	edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
+		%echo Generating temporary key for testing...
+
+		%no-protection
+		%transient-key
+		%pubring ${P}-ebuild-test-key.asc
+
+		Key-Type: 1
+		Key-Length: 2048
+		Subkey-Type: 1
+		Subkey-Length: 2048
+		Name-Real: Larry The Cow
+		Name-Email: larry@example.com
+		Expire-Date: 0
+		Handle: ${P}-ebuild-test-key
+
+		%commit
+		%echo Temporary key generated!
+	EOF
+
+	# Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
+	edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
+
+	# Sign a tiny file with the to-be-injected key for testing rejection below
+	echo "Hello world!" > "${T}"/tests/signme || die
+	edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
+
+	# keyring-mangler will fail with no valid keys so import the sanitised list from src_compile.
+	edo gpg "${mygpgargs[@]}" --import "${WORKDIR}"/gentoo-developers-sanitised.asc
+
+	edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
+
+	# keyring-mangler.py should now produce a keyring *without* it
+	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
+			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
+			"${T}"/tests/tainted-keyring.asc \
+			"${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
+	assert "Key mangling in tests failed?"
+
+	# Check the log to verify the injected key got detected
+	grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
+
+	# gnupg doesn't have an easy way for us to actually just.. ask
+	# if a key is known via WoT. So, sign a file using the key
+	# we just made, and then try to gpg --verify it, and check exit code.
+	#
+	# Let's now double check by seeing if a file signed by the injected key
+	# is rejected.
+	if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
+		die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
+	fi
+
+	# Bonus lame sanity check
+	edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
+	assert "trustdb call failed!"
+
+	check_trust_levels() {
+		local mode=${1}
+
+		while IFS= read -r line; do
+			# gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u
+			# gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
+			if [[ ${line} == *depth* ]] ; then
+				depth=$(echo ${line} | grep -Po "depth: [0-9]")
+				trust=$(echo ${line} | grep -Po "trust:.*")
+
+				trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
+				[[ ${trust_uncalculated} == 0 ]] || ${mode}
+
+				trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
+				[[ ${trust_insufficient} == 0 ]] || ${mode}
+
+				trust_never=$(echo ${trust} | grep -Po "[0-9]n")
+				[[ ${trust_never} == 0 ]] || ${mode}
+
+				trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
+				[[ ${trust_marginal} == 0 ]] || ${mode}
+
+				trust_full=$(echo ${trust} | grep -Po "[0-9]f")
+				[[ ${trust_full} != 0 ]] || ${mode}
+
+				trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
+				[[ ${trust_ultimate} == 1 ]] || ${mode}
+
+				echo "${trust_uncalculated}, ${trust_insufficient}"
+			fi
+		done < "${T}"/tests/trustdb.log
+	}
+
+	# First, check with the bad key still in the test keyring.
+	# This is supposed to fail, so we want it to return 1
+	check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
+
+	# Now check without the bad key in the test keyring.
+	# This one should pass.
+	#
+	# Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
+	keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
+		| grep "^fpr" \
+		| sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
+
+	local key
+	for key in ${keys[@]} ; do
+		nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
+	done
+
+	edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
+	check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
+
+	gpgconf --kill gpg-agent || die
+}
+
+src_install() {
+	insinto /usr/share/openpgp-keys
+	newins gentoo-developers-sanitised.asc gentoo-developers.asc
+
+	# TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
+}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild
index fda85a259ff6..8b5c37e28529 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild
+++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -26,7 +26,7 @@ RESTRICT="!test? ( test )"
 
 BDEPEND+="
 	$(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
-	sec-keys/openpgp-keys-gentoo-auth
+	>=sec-keys/openpgp-keys-gentoo-auth-20240703
 	test? (
 		app-crypt/gnupg
 		sys-apps/grep[pcre]
@@ -143,6 +143,9 @@ src_test() {
 	echo "Hello world!" > "${T}"/tests/signme || die
 	edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
 
+	# keyring-mangler will fail with no valid keys so import the sanitised list from src_compile.
+	edo gpg "${mygpgargs[@]}" --import "${WORKDIR}"/gentoo-developers-sanitised.asc
+
 	edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
 
 	# keyring-mangler.py should now produce a keyring *without* it
author	V3n3RiX <venerix@koprulu.sector>	2024-07-15 12:27:33 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2024-07-15 12:27:33 +0100
commit	868fd5dc8aab84930cfaa5252b8be06b35552765 (patch)
tree	0c0cebf818c30c6f871f00ce1e7599775a7e561c /sec-keys
parent	f7adcd4ee556b2c3a420239c13fb74113d791f6a (diff)