diff options
| author | V3n3RiX <venerix@koprulu.sector> | 2023-12-28 07:37:55 +0000 |
|---|---|---|
| committer | V3n3RiX <venerix@koprulu.sector> | 2023-12-28 07:37:55 +0000 |
| commit | d46d1d3a5897cade51811b3848c7bf27969da625 (patch) | |
| tree | 0dabb04db53e3fe66abe43df0a3cdff5d3b664db /sec-keys | |
| parent | e67d5b4ba05349b3bf4229d0cf7d069809c4420e (diff) | |
gentoo auto-resync : 28:12:2023 - 07:37:55
Diffstat (limited to 'sec-keys')
| -rw-r--r-- | sec-keys/Manifest.gz | bin | 23246 -> 23251 bytes | |||
| -rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/Manifest | 6 | ||||
| -rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230925.ebuild | 233 | ||||
| -rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231106.ebuild | 233 | ||||
| -rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231113.ebuild | 233 |
5 files changed, 0 insertions, 705 deletions
diff --git a/sec-keys/Manifest.gz b/sec-keys/Manifest.gz Binary files differindex 923f35d61bf3..c5a1fbe845d0 100644 --- a/sec-keys/Manifest.gz +++ b/sec-keys/Manifest.gz diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest index ab3f2bd937dc..411adcf71f53 100644 --- a/sec-keys/openpgp-keys-gentoo-developers/Manifest +++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest @@ -1,13 +1,7 @@ AUX keyring-mangler.py 3061 BLAKE2B a5acb20346c8eb4b036773562625ac39469d378a343c8bfcbb23391a61876f57aae7015f2d78e468a606330275686f2187d7a8a81a7d940a1e8329c2ea916a62 SHA512 60f7174319f77484eb389486e6f74c23a27d8211128d261497b3d095e3f7a8744c5402c29ae84a6e4833b77406e301dfd5c7b4cf8d5ffb062e298f177a1ff052 -DIST openpgp-keys-gentoo-developers-20230925-active-devs.gpg 3094306 BLAKE2B 0e70a39a2102630a5285b2b2313a7b3c83cca71f76f75ce5fa0dc0432002d5e57926ce82158f4f9c44c2f671a5a44076781a6ca8a1ce330d5bd97ba2e3726a97 SHA512 395c499833a07506b7f44bfbab2851361ece5885dd53d606699eefb523b60a13078ae87e6ebd46f9a7644adfc8920fe141ac777ec260b747d13c3359631fa27b DIST openpgp-keys-gentoo-developers-20231030-active-devs.gpg 3116604 BLAKE2B cf90b160f4ba7f3b0b2b7884f80f36e573893afbc4f3d6373993af7334c1f38426cedcfd9ebf4f6b38591568baa21afa5c243e2101887200bc51d205003fc3be SHA512 009f7b9eb9d8136406658544b559698a4b17c507ac91931463345c712780eee3935ad35aa9b9f5b5d85083ebc1ea646bf51877a165be184a9cbd8f73b8b1c3d7 -DIST openpgp-keys-gentoo-developers-20231106-active-devs.gpg 3117324 BLAKE2B 30a10227a2970b828bb7eafe710356cea9e8983e9c808ca3bc9858e8ae9e9d8efec5a982f03101f273f82cf8ec55afcf0005b29e578ea039376bf093f2f9ab0a SHA512 70333f7647672e586eed3ae62d479d0b8bbb67e0eec2e7068cb8e2cbb60e2c5540ce8d06c08c3f80ce338824e203fddc04422eb002512eb8d5f1513a4a7b5c37 -DIST openpgp-keys-gentoo-developers-20231113-active-devs.gpg 3117324 BLAKE2B 30a10227a2970b828bb7eafe710356cea9e8983e9c808ca3bc9858e8ae9e9d8efec5a982f03101f273f82cf8ec55afcf0005b29e578ea039376bf093f2f9ab0a SHA512 70333f7647672e586eed3ae62d479d0b8bbb67e0eec2e7068cb8e2cbb60e2c5540ce8d06c08c3f80ce338824e203fddc04422eb002512eb8d5f1513a4a7b5c37 DIST openpgp-keys-gentoo-developers-20231120-active-devs.gpg 3117324 BLAKE2B 30a10227a2970b828bb7eafe710356cea9e8983e9c808ca3bc9858e8ae9e9d8efec5a982f03101f273f82cf8ec55afcf0005b29e578ea039376bf093f2f9ab0a SHA512 70333f7647672e586eed3ae62d479d0b8bbb67e0eec2e7068cb8e2cbb60e2c5540ce8d06c08c3f80ce338824e203fddc04422eb002512eb8d5f1513a4a7b5c37 -EBUILD openpgp-keys-gentoo-developers-20230925.ebuild 7523 BLAKE2B 2b3f5c5c1694b782ac318bdfd0dc7941ce47ed8f60fc2d715b88bf1404cd59639797e65e45891fad1aba9b456c3d356d7cadc1b79a9919cce0a8b1587364f7e5 SHA512 a013e480059fb7b0de2da5581f8d6c01b9eecb0593751fda7b57b4d4e98db2ab6b21a2aaefce7aec0c0981e6dc22fd9fc202bea6dedaf170816bd05c1031311e EBUILD openpgp-keys-gentoo-developers-20231030.ebuild 7523 BLAKE2B 2b3f5c5c1694b782ac318bdfd0dc7941ce47ed8f60fc2d715b88bf1404cd59639797e65e45891fad1aba9b456c3d356d7cadc1b79a9919cce0a8b1587364f7e5 SHA512 a013e480059fb7b0de2da5581f8d6c01b9eecb0593751fda7b57b4d4e98db2ab6b21a2aaefce7aec0c0981e6dc22fd9fc202bea6dedaf170816bd05c1031311e -EBUILD openpgp-keys-gentoo-developers-20231106.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 -EBUILD openpgp-keys-gentoo-developers-20231113.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 EBUILD openpgp-keys-gentoo-developers-20231120.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7531 BLAKE2B 6047cb6478855d2603cb60e76524742994e06b71c0dbe29d69bff1866ae66a712422d95e8a8495c35b66f3c40fdaf74ea53d34338650b9428e5caa45d7fe5a0c SHA512 e271c6b583c1f2a1c61bc034e24696ae93dbce52f1a541901df12eb64496bf07fced1c99f4d83eb7d20131f666507ba24a460608076f75fbddb58126cd6a6840 MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056 diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230925.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230925.ebuild deleted file mode 100644 index a8a3226d3007..000000000000 --- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230925.ebuild +++ /dev/null @@ -1,233 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{10..12} ) -inherit edo python-any-r1 - -DESCRIPTION="Gentoo Authority Keys (GLEP 79)" -HOMEPAGE="https://www.gentoo.org/downloads/signatures/" -if [[ ${PV} == 9999* ]] ; then - PROPERTIES="live" - - BDEPEND="net-misc/curl" -else - SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" - KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv sparc x86" -fi - -S="${WORKDIR}" - -LICENSE="public-domain" -SLOT="0" -IUSE="test" -RESTRICT="!test? ( test )" - -BDEPEND+=" - $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') - sec-keys/openpgp-keys-gentoo-auth - test? ( - app-crypt/gnupg - sys-apps/grep[pcre] - ) -" - -python_check_deps() { - python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" -} - -src_unpack() { - if [[ ${PV} == 9999* ]] ; then - curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die - else - default - fi -} - -src_compile() { - export GNUPGHOME="${T}"/.gnupg - - get_gpg_keyring_dir() { - if [[ ${PV} == 9999* ]] ; then - echo "${WORKDIR}" - else - echo "${DISTDIR}" - fi - } - - local mygpgargs=( - --no-autostart - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - mkdir "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - - # Convert the binary keyring into an armored one so we can process it - edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg - edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc - - # Now strip out the keys which are expired and/or missing a signature - # from our L2 developer authority key - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${WORKDIR}"/gentoo-developers.asc \ - "${WORKDIR}"/gentoo-developers-sanitised.asc -} - -src_test() { - export GNUPGHOME="${T}"/tests/.gnupg - - local mygpgargs=( - # We don't have --no-autostart here because we need - # to let it spawn an agent for the key generation. - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - # Check each of the keys to verify they're trusted by - # the L2 developer key. - mkdir -p "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - cd "${T}"/tests || die - - # First, grab the L1 key, and mark it as ultimately trusted. - edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc - edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt - - # Generate a temporary key which isn't signed by anything to check - # whether we're detecting unexpected keys. - # - # The test is whether this appears in the sanitised keyring we - # produce in src_compile (it should not be in there). - # - # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html - edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF - %echo Generating temporary key for testing... - - %no-protection - %transient-key - %pubring ${P}-ebuild-test-key.asc - - Key-Type: 1 - Key-Length: 2048 - Subkey-Type: 1 - Subkey-Length: 2048 - Name-Real: Larry The Cow - Name-Email: larry@example.com - Expire-Date: 0 - Handle: ${P}-ebuild-test-key - - %commit - %echo Temporary key generated! - EOF - - # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring - edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc - - # Sign a tiny file with the to-be-injected key for testing rejection below - echo "Hello world!" > "${T}"/tests/signme || die - edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die - - edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc - - # keyring-mangler.py should now produce a keyring *without* it - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${T}"/tests/tainted-keyring.asc \ - "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log - assert "Key mangling in tests failed?" - - # Check the log to verify the injected key got detected - grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" - - # gnupg doesn't have an easy way for us to actually just.. ask - # if a key is known via WoT. So, sign a file using the key - # we just made, and then try to gpg --verify it, and check exit code. - # - # Let's now double check by seeing if a file signed by the injected key - # is rejected. - if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then - die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" - fi - - # Bonus lame sanity check - edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log - assert "trustdb call failed!" - - check_trust_levels() { - local mode=${1} - - while IFS= read -r line; do - # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u - # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u - if [[ ${line} == *depth* ]] ; then - depth=$(echo ${line} | grep -Po "depth: [0-9]") - trust=$(echo ${line} | grep -Po "trust:.*") - - trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") - [[ ${trust_uncalculated} == 0 ]] || ${mode} - - trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") - [[ ${trust_insufficient} == 0 ]] || ${mode} - - trust_never=$(echo ${trust} | grep -Po "[0-9]n") - [[ ${trust_never} == 0 ]] || ${mode} - - trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") - [[ ${trust_marginal} == 0 ]] || ${mode} - - trust_full=$(echo ${trust} | grep -Po "[0-9]f") - [[ ${trust_full} != 0 ]] || ${mode} - - trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") - [[ ${trust_ultimate} == 1 ]] || ${mode} - - echo "${trust_uncalculated}, ${trust_insufficient}" - fi - done < "${T}"/tests/trustdb.log - } - - # First, check with the bad key still in the test keyring. - # This is supposed to fail, so we want it to return 1 - check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" - - # Now check without the bad key in the test keyring. - # This one should pass. - # - # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) - keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \ - | grep "^fpr" \ - | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') - - local key - for key in ${keys[@]} ; do - nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} - done - - edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>" - check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" - - gpgconf --kill gpg-agent || die -} - -src_install() { - insinto /usr/share/openpgp-keys - newins gentoo-developers-sanitised.asc gentoo-developers.asc - - # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? -} diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231106.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231106.ebuild deleted file mode 100644 index fda85a259ff6..000000000000 --- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231106.ebuild +++ /dev/null @@ -1,233 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{10..12} ) -inherit edo python-any-r1 - -DESCRIPTION="Gentoo Authority Keys (GLEP 79)" -HOMEPAGE="https://www.gentoo.org/downloads/signatures/" -if [[ ${PV} == 9999* ]] ; then - PROPERTIES="live" - - BDEPEND="net-misc/curl" -else - SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" -fi - -S="${WORKDIR}" - -LICENSE="public-domain" -SLOT="0" -IUSE="test" -RESTRICT="!test? ( test )" - -BDEPEND+=" - $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') - sec-keys/openpgp-keys-gentoo-auth - test? ( - app-crypt/gnupg - sys-apps/grep[pcre] - ) -" - -python_check_deps() { - python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" -} - -src_unpack() { - if [[ ${PV} == 9999* ]] ; then - curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die - else - default - fi -} - -src_compile() { - export GNUPGHOME="${T}"/.gnupg - - get_gpg_keyring_dir() { - if [[ ${PV} == 9999* ]] ; then - echo "${WORKDIR}" - else - echo "${DISTDIR}" - fi - } - - local mygpgargs=( - --no-autostart - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - mkdir "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - - # Convert the binary keyring into an armored one so we can process it - edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg - edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc - - # Now strip out the keys which are expired and/or missing a signature - # from our L2 developer authority key - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${WORKDIR}"/gentoo-developers.asc \ - "${WORKDIR}"/gentoo-developers-sanitised.asc -} - -src_test() { - export GNUPGHOME="${T}"/tests/.gnupg - - local mygpgargs=( - # We don't have --no-autostart here because we need - # to let it spawn an agent for the key generation. - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - # Check each of the keys to verify they're trusted by - # the L2 developer key. - mkdir -p "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - cd "${T}"/tests || die - - # First, grab the L1 key, and mark it as ultimately trusted. - edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc - edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt - - # Generate a temporary key which isn't signed by anything to check - # whether we're detecting unexpected keys. - # - # The test is whether this appears in the sanitised keyring we - # produce in src_compile (it should not be in there). - # - # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html - edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF - %echo Generating temporary key for testing... - - %no-protection - %transient-key - %pubring ${P}-ebuild-test-key.asc - - Key-Type: 1 - Key-Length: 2048 - Subkey-Type: 1 - Subkey-Length: 2048 - Name-Real: Larry The Cow - Name-Email: larry@example.com - Expire-Date: 0 - Handle: ${P}-ebuild-test-key - - %commit - %echo Temporary key generated! - EOF - - # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring - edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc - - # Sign a tiny file with the to-be-injected key for testing rejection below - echo "Hello world!" > "${T}"/tests/signme || die - edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die - - edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc - - # keyring-mangler.py should now produce a keyring *without* it - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${T}"/tests/tainted-keyring.asc \ - "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log - assert "Key mangling in tests failed?" - - # Check the log to verify the injected key got detected - grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" - - # gnupg doesn't have an easy way for us to actually just.. ask - # if a key is known via WoT. So, sign a file using the key - # we just made, and then try to gpg --verify it, and check exit code. - # - # Let's now double check by seeing if a file signed by the injected key - # is rejected. - if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then - die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" - fi - - # Bonus lame sanity check - edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log - assert "trustdb call failed!" - - check_trust_levels() { - local mode=${1} - - while IFS= read -r line; do - # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u - # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u - if [[ ${line} == *depth* ]] ; then - depth=$(echo ${line} | grep -Po "depth: [0-9]") - trust=$(echo ${line} | grep -Po "trust:.*") - - trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") - [[ ${trust_uncalculated} == 0 ]] || ${mode} - - trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") - [[ ${trust_insufficient} == 0 ]] || ${mode} - - trust_never=$(echo ${trust} | grep -Po "[0-9]n") - [[ ${trust_never} == 0 ]] || ${mode} - - trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") - [[ ${trust_marginal} == 0 ]] || ${mode} - - trust_full=$(echo ${trust} | grep -Po "[0-9]f") - [[ ${trust_full} != 0 ]] || ${mode} - - trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") - [[ ${trust_ultimate} == 1 ]] || ${mode} - - echo "${trust_uncalculated}, ${trust_insufficient}" - fi - done < "${T}"/tests/trustdb.log - } - - # First, check with the bad key still in the test keyring. - # This is supposed to fail, so we want it to return 1 - check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" - - # Now check without the bad key in the test keyring. - # This one should pass. - # - # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) - keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \ - | grep "^fpr" \ - | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') - - local key - for key in ${keys[@]} ; do - nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} - done - - edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>" - check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" - - gpgconf --kill gpg-agent || die -} - -src_install() { - insinto /usr/share/openpgp-keys - newins gentoo-developers-sanitised.asc gentoo-developers.asc - - # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? -} diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231113.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231113.ebuild deleted file mode 100644 index fda85a259ff6..000000000000 --- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20231113.ebuild +++ /dev/null @@ -1,233 +0,0 @@ -# Copyright 1999-2023 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -PYTHON_COMPAT=( python3_{10..12} ) -inherit edo python-any-r1 - -DESCRIPTION="Gentoo Authority Keys (GLEP 79)" -HOMEPAGE="https://www.gentoo.org/downloads/signatures/" -if [[ ${PV} == 9999* ]] ; then - PROPERTIES="live" - - BDEPEND="net-misc/curl" -else - SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" -fi - -S="${WORKDIR}" - -LICENSE="public-domain" -SLOT="0" -IUSE="test" -RESTRICT="!test? ( test )" - -BDEPEND+=" - $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') - sec-keys/openpgp-keys-gentoo-auth - test? ( - app-crypt/gnupg - sys-apps/grep[pcre] - ) -" - -python_check_deps() { - python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" -} - -src_unpack() { - if [[ ${PV} == 9999* ]] ; then - curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die - else - default - fi -} - -src_compile() { - export GNUPGHOME="${T}"/.gnupg - - get_gpg_keyring_dir() { - if [[ ${PV} == 9999* ]] ; then - echo "${WORKDIR}" - else - echo "${DISTDIR}" - fi - } - - local mygpgargs=( - --no-autostart - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - mkdir "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - - # Convert the binary keyring into an armored one so we can process it - edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg - edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc - - # Now strip out the keys which are expired and/or missing a signature - # from our L2 developer authority key - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${WORKDIR}"/gentoo-developers.asc \ - "${WORKDIR}"/gentoo-developers-sanitised.asc -} - -src_test() { - export GNUPGHOME="${T}"/tests/.gnupg - - local mygpgargs=( - # We don't have --no-autostart here because we need - # to let it spawn an agent for the key generation. - --no-default-keyring - --homedir "${GNUPGHOME}" - ) - - # From verify-sig.eclass: - # "GPG upstream knows better than to follow the spec, so we can't - # override this directory. However, there is a clean fallback - # to GNUPGHOME." - addpredict /run/user - - # Check each of the keys to verify they're trusted by - # the L2 developer key. - mkdir -p "${GNUPGHOME}" || die - chmod 700 "${GNUPGHOME}" || die - cd "${T}"/tests || die - - # First, grab the L1 key, and mark it as ultimately trusted. - edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc - edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt - - # Generate a temporary key which isn't signed by anything to check - # whether we're detecting unexpected keys. - # - # The test is whether this appears in the sanitised keyring we - # produce in src_compile (it should not be in there). - # - # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html - edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF - %echo Generating temporary key for testing... - - %no-protection - %transient-key - %pubring ${P}-ebuild-test-key.asc - - Key-Type: 1 - Key-Length: 2048 - Subkey-Type: 1 - Subkey-Length: 2048 - Name-Real: Larry The Cow - Name-Email: larry@example.com - Expire-Date: 0 - Handle: ${P}-ebuild-test-key - - %commit - %echo Temporary key generated! - EOF - - # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring - edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc - - # Sign a tiny file with the to-be-injected key for testing rejection below - echo "Hello world!" > "${T}"/tests/signme || die - edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die - - edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc - - # keyring-mangler.py should now produce a keyring *without* it - edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ - "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ - "${T}"/tests/tainted-keyring.asc \ - "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log - assert "Key mangling in tests failed?" - - # Check the log to verify the injected key got detected - grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" - - # gnupg doesn't have an easy way for us to actually just.. ask - # if a key is known via WoT. So, sign a file using the key - # we just made, and then try to gpg --verify it, and check exit code. - # - # Let's now double check by seeing if a file signed by the injected key - # is rejected. - if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then - die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" - fi - - # Bonus lame sanity check - edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log - assert "trustdb call failed!" - - check_trust_levels() { - local mode=${1} - - while IFS= read -r line; do - # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u - # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u - if [[ ${line} == *depth* ]] ; then - depth=$(echo ${line} | grep -Po "depth: [0-9]") - trust=$(echo ${line} | grep -Po "trust:.*") - - trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") - [[ ${trust_uncalculated} == 0 ]] || ${mode} - - trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") - [[ ${trust_insufficient} == 0 ]] || ${mode} - - trust_never=$(echo ${trust} | grep -Po "[0-9]n") - [[ ${trust_never} == 0 ]] || ${mode} - - trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") - [[ ${trust_marginal} == 0 ]] || ${mode} - - trust_full=$(echo ${trust} | grep -Po "[0-9]f") - [[ ${trust_full} != 0 ]] || ${mode} - - trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") - [[ ${trust_ultimate} == 1 ]] || ${mode} - - echo "${trust_uncalculated}, ${trust_insufficient}" - fi - done < "${T}"/tests/trustdb.log - } - - # First, check with the bad key still in the test keyring. - # This is supposed to fail, so we want it to return 1 - check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" - - # Now check without the bad key in the test keyring. - # This one should pass. - # - # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) - keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \ - | grep "^fpr" \ - | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') - - local key - for key in ${keys[@]} ; do - nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} - done - - edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>" - check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" - - gpgconf --kill gpg-agent || die -} - -src_install() { - insinto /usr/share/openpgp-keys - newins gentoo-developers-sanitised.asc gentoo-developers.asc - - # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? -} |