diff options
Diffstat (limited to 'sec-keys')
| -rw-r--r-- | sec-keys/Manifest.gz | bin | 19544 -> 19543 bytes | |||
| -rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/Manifest | 2 | ||||
| -rw-r--r-- | sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230515.ebuild | 233 | ||||
| -rw-r--r-- | sec-keys/openpgp-keys-karelzak/Manifest | 2 | ||||
| -rw-r--r-- | sec-keys/openpgp-keys-karelzak/openpgp-keys-karelzak-20230517.ebuild | 20 |
5 files changed, 257 insertions, 0 deletions
diff --git a/sec-keys/Manifest.gz b/sec-keys/Manifest.gz Binary files differindex 159523d51660..947310447383 100644 --- a/sec-keys/Manifest.gz +++ b/sec-keys/Manifest.gz diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest index 012f32665dc8..331502231ad8 100644 --- a/sec-keys/openpgp-keys-gentoo-developers/Manifest +++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest @@ -1,7 +1,9 @@ AUX keyring-mangler.py 3005 BLAKE2B e5435432b79156c26120af950f46f9a916af7261a78b40081eb140e18b3fd4f0d2ce55cd2ed305bdd4f60b569edfb513c1151a6255838a750d37225715e87e4f SHA512 bd4dc3dee66c0f0b8b657da1fabfbda96ea03b77d1080fa1d07b14d2a9571fe91f7589131893b75548122e772678760c7722fd8a46e120c40d8dbb8cb4341dc9 DIST openpgp-keys-gentoo-developers-20230403-active-devs.gpg 3033398 BLAKE2B 233549fa600d855df1f4130224c63b10d0df3312886bef1c0486553db3025554a4fff7af104a3f0869390d53837a8d0182d830432e855273da28c753ea579d7e SHA512 33264b9ef002656f5c58dc2b2ff568d01b624c68e2e42db0d388b9a99b45c2d605df0d5db7b5029c0946f524fa7168252ba87908336e6f9ad0717c20d43cd112 DIST openpgp-keys-gentoo-developers-20230508-active-devs.gpg 3084780 BLAKE2B e7bdf7d2dd4031c63b8acc326c4f11b1f31639d97fa18eb37ec40805789e6c574d5443b0028f204375d0854e661ed2893ca960e9663b41c67b91d87d4e50466d SHA512 bcd0bc704e36dbfdb37cce3739336af7767c64eb9e443607c743c608274676b779e158bdb34ab22d6da6921c3c7b43ecd729c856600c530757fb7da020bf9d67 +DIST openpgp-keys-gentoo-developers-20230515-active-devs.gpg 3093773 BLAKE2B 481e754067cf3ecdce5792490bda2ea9a8afa412c3b6442955f588b2a1c084032ec9d191b39a1931a25e72b291f21dc6e6011b27badd39688420d58743aafa20 SHA512 4c5f7b90e228c639b720932841d404b87cb730929c6955d1441771d1213111375c390aae675176f2a3a99b8dc1d24cdf4f4986f0dfd6025f36d4d84c8eb44c02 EBUILD openpgp-keys-gentoo-developers-20230403.ebuild 7522 BLAKE2B d48c00f39d882d632ad70651e47e06887af88a320623d6f5009ad735ff449895d18bc00838bc4fe72c905ebfbef233cffec407a359280fd4e88fb44b433e7e97 SHA512 7fa3f01773d5a3dfdc4f4221d6a15872f7eb74cbd262237fb6b5a8508b175a2e82679120efa5f686392f99402f71dfb1fcf833d5fbed76aaecb1aee37ac4ffac EBUILD openpgp-keys-gentoo-developers-20230508.ebuild 7530 BLAKE2B a43990c1c1441f877c04ddeb45d3a96cb829c223d26986129f520219afe2e8dd43e67f9878e666fc71fbac357dc77e54426a20cc352029ed199e3374e958feb3 SHA512 9a896722504447f82d1e3431b4f9a38ac523a08c4f6e4cbb798e75133b20a2b54d4abe220b6ba5c7848804fb3b0aad9f02ede441acd36f11cd988d45c87eda50 +EBUILD openpgp-keys-gentoo-developers-20230515.ebuild 7530 BLAKE2B a43990c1c1441f877c04ddeb45d3a96cb829c223d26986129f520219afe2e8dd43e67f9878e666fc71fbac357dc77e54426a20cc352029ed199e3374e958feb3 SHA512 9a896722504447f82d1e3431b4f9a38ac523a08c4f6e4cbb798e75133b20a2b54d4abe220b6ba5c7848804fb3b0aad9f02ede441acd36f11cd988d45c87eda50 EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7524 BLAKE2B b25f55fc15605a7ae98ea6c232c3c52c522478eef6e7c0454560874de41639b9af22b569b45e5363481ce5b1f0e55b0fae92c9be98fdd9cdd5a7a2c1b4cbd195 SHA512 59df2a70e59e2c029f383c971e0a00cd10c11fa8c8eaaf692fca4c11645a5877f0c0a4d121257fee42442b1f9252b497ba625e1ab1c4fd4d08aaaf59d91eff1d MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056 diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230515.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230515.ebuild new file mode 100644 index 000000000000..efd0694ab707 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20230515.ebuild @@ -0,0 +1,233 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{9..11} ) +inherit edo python-any-r1 + +DESCRIPTION="Gentoo Authority Keys (GLEP 79)" +HOMEPAGE="https://www.gentoo.org/downloads/signatures/" +if [[ ${PV} == 9999* ]] ; then + PROPERTIES="live" + + BDEPEND="net-misc/curl" +else + SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi + +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +IUSE="test" +RESTRICT="!test? ( test )" + +BDEPEND+=" + $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') + sec-keys/openpgp-keys-gentoo-auth + test? ( + app-crypt/gnupg + sys-apps/grep[pcre] + ) +" + +python_check_deps() { + python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" +} + +src_unpack() { + if [[ ${PV} == 9999* ]] ; then + curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die + else + default + fi +} + +src_compile() { + export GNUPGHOME="${T}"/.gnupg + + get_gpg_keyring_dir() { + if [[ ${PV} == 9999* ]] ; then + echo "${WORKDIR}" + else + echo "${DISTDIR}" + fi + } + + local mygpgargs=( + --no-autostart + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + mkdir "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + + # Convert the binary keyring into an armored one so we can process it + edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg + edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc + + # Now strip out the keys which are expired and/or missing a signature + # from our L2 developer authority key + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${WORKDIR}"/gentoo-developers.asc \ + "${WORKDIR}"/gentoo-developers-sanitised.asc +} + +src_test() { + export GNUPGHOME="${T}"/tests/.gnupg + + local mygpgargs=( + # We don't have --no-autostart here because we need + # to let it spawn an agent for the key generation. + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + # Check each of the keys to verify they're trusted by + # the L2 developer key. + mkdir -p "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + cd "${T}"/tests || die + + # First, grab the L1 key, and mark it as ultimately trusted. + edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc + edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt + + # Generate a temporary key which isn't signed by anything to check + # whether we're detecting unexpected keys. + # + # The test is whether this appears in the sanitised keyring we + # produce in src_compile (it should not be in there). + # + # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html + edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF + %echo Generating temporary key for testing... + + %no-protection + %transient-key + %pubring ${P}-ebuild-test-key.asc + + Key-Type: 1 + Key-Length: 2048 + Subkey-Type: 1 + Subkey-Length: 2048 + Name-Real: Larry The Cow + Name-Email: larry@example.com + Expire-Date: 0 + Handle: ${P}-ebuild-test-key + + %commit + %echo Temporary key generated! + EOF + + # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring + edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc + + # Sign a tiny file with the to-be-injected key for testing rejection below + echo "Hello world!" > "${T}"/tests/signme || die + edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die + + edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc + + # keyring-mangler.py should now produce a keyring *without* it + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${T}"/tests/tainted-keyring.asc \ + "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log + assert "Key mangling in tests failed?" + + # Check the log to verify the injected key got detected + grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" + + # gnupg doesn't have an easy way for us to actually just.. ask + # if a key is known via WoT. So, sign a file using the key + # we just made, and then try to gpg --verify it, and check exit code. + # + # Let's now double check by seeing if a file signed by the injected key + # is rejected. + if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then + die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" + fi + + # Bonus lame sanity check + edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log + assert "trustdb call failed!" + + check_trust_levels() { + local mode=${1} + + while IFS= read -r line; do + # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u + # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u + if [[ ${line} == *depth* ]] ; then + depth=$(echo ${line} | grep -Po "depth: [0-9]") + trust=$(echo ${line} | grep -Po "trust:.*") + + trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") + [[ ${trust_uncalculated} == 0 ]] || ${mode} + + trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") + [[ ${trust_insufficient} == 0 ]] || ${mode} + + trust_never=$(echo ${trust} | grep -Po "[0-9]n") + [[ ${trust_never} == 0 ]] || ${mode} + + trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") + [[ ${trust_marginal} == 0 ]] || ${mode} + + trust_full=$(echo ${trust} | grep -Po "[0-9]f") + [[ ${trust_full} != 0 ]] || ${mode} + + trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") + [[ ${trust_ultimate} == 1 ]] || ${mode} + + echo "${trust_uncalculated}, ${trust_insufficient}" + fi + done < "${T}"/tests/trustdb.log + } + + # First, check with the bad key still in the test keyring. + # This is supposed to fail, so we want it to return 1 + check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" + + # Now check without the bad key in the test keyring. + # This one should pass. + # + # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) + keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \ + | grep "^fpr" \ + | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') + + local key + for key in ${keys[@]} ; do + nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} + done + + edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>" + check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" + + gpgconf --kill gpg-agent || die +} + +src_install() { + insinto /usr/share/openpgp-keys + newins gentoo-developers-sanitised.asc gentoo-developers.asc + + # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? +} diff --git a/sec-keys/openpgp-keys-karelzak/Manifest b/sec-keys/openpgp-keys-karelzak/Manifest index 1845b88adb1c..b2e7e329954c 100644 --- a/sec-keys/openpgp-keys-karelzak/Manifest +++ b/sec-keys/openpgp-keys-karelzak/Manifest @@ -1,5 +1,7 @@ DIST openpgp-keys-karelzak-20220331.asc 4128 BLAKE2B c92253c5691de219a2d5ab8311997f4cab46d13c30fc6631713837655641d4766cd8eebdd786344a6491f337f93a7f11fd34c1e1e0213002c463ac4bcc6e36c7 SHA512 ffa2247a15313a1d7879d6a620bd6255615740055380f104fb7530f1e75dad82dd3febf5d6f36fb325ea40b1154960e7f6abb07fc72f4091dec7a551bde13b4e DIST openpgp-keys-karelzak-20230110.asc 3143 BLAKE2B d4900a0895f090a522a926d7b648c74595c12e0f4eb86e26edcc6d253e503cd6606c2f2a5491b227becf62839df51bee8785e29a4a6cbf40b99773e67ede27ed SHA512 b9435499df5cb5cbd0b690e45ff929b1ea5c013251ef8d573febfba73773456251d418671fd017482040ca32380dabb18dcf7a8526bce8aa4786b3338237960a +DIST openpgp-keys-karelzak-20230517.asc 6762 BLAKE2B 0d82509398a7b297d85d0c919d7d330b4a06976278d7d486dda66358b5601f6aea6d5703617078ca2968d081ebf86839b5e3722252f385892d11048e9094b6b4 SHA512 880246495281d55f0e2e709d4a442218433fd57d332c6e825d438841c236fb424ef8cbf355bffbea9564376116336d9a6fb33d5401f1b9b90c02516bec54fff8 EBUILD openpgp-keys-karelzak-20220331.ebuild 609 BLAKE2B 4782e845ffcb006afc4c5d91f09f271f9260e6ad9d848366ac40c3c3439ca0e532aca2521e886c21027a5ce1d15f0a7eada908d4ca249a836274169da8e40b9e SHA512 1c4f1ba36b656b4a550b9b22521d1fd0b7a4a28e324d6e7b7214dfc60e55092f25ca68462301fca5214a9fac547b8bbc50ce72c618375fc11276c163c6e4344c EBUILD openpgp-keys-karelzak-20230110.ebuild 609 BLAKE2B cb3d48bb2b3ed33d1a9fbf308806a581b697d4a4db080e5ad223816756326eb0ee3c1a2ca43f382eb10b417ac6267ebd2c7bdca7f65584c4e2e17fff699cf213 SHA512 60bae3d2a4f4fe02d88a4edcb65b3bba684f2a01002c5fdd83485bb6b862dc686232f8d96439662e081faae8b9c3971470c9dccfad694178342389e569b5e6e5 +EBUILD openpgp-keys-karelzak-20230517.ebuild 617 BLAKE2B b66c948d21ce6d5fb16fb6eabf4bc701d5490baeac33e670ac849dc46a74cff7ca7f363c4d75576edd3d07ef4c5ca1242730e1f9e11844ea11c3da0d4d19e31d SHA512 26bcc196a600770135d3567b898818a6831ede29402c132d1c3f481b8c97131f9d2b75fefc90c78c6d0931c2b0600296f9965b20039391adea66982d47f8c5f9 MISC metadata.xml 282 BLAKE2B 85c3312405ada57a85e03b06a59523c8d4069551f91e6b70f182d5af92ffc26b946c2987554001649eb41d605864a5cb3c172ebbb02f3c1a11ca1ed805889550 SHA512 5eac09aed8093684086d644c321b236d5da019a650ad322d33236b543bd5641edfc43cbdeee4654e093f9f6393eae034110ca51eb560b87a178fba74244d7fdb diff --git a/sec-keys/openpgp-keys-karelzak/openpgp-keys-karelzak-20230517.ebuild b/sec-keys/openpgp-keys-karelzak/openpgp-keys-karelzak-20230517.ebuild new file mode 100644 index 000000000000..524e114f2774 --- /dev/null +++ b/sec-keys/openpgp-keys-karelzak/openpgp-keys-karelzak-20230517.ebuild @@ -0,0 +1,20 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +DESCRIPTION="OpenPGP keys used by Karel Zak" +HOMEPAGE="https://kzak.redcrew.org/doku.php?id=me" +# Grabbed from HOMEPAGE but it's HTML +SRC_URI="https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/${P}.asc" +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" + +src_install() { + local files=( ${A} ) + insinto /usr/share/openpgp-keys + newins - karelzak.asc < <(cat "${files[@]/#/${DISTDIR}/}" || die) +} |