From 965058196f44550f3bc491dd85064071e085b776 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Thu, 13 Feb 2025 00:12:52 +0000 Subject: gentoo auto-resync : 13:02:2025 - 00:12:52 --- sec-keys/Manifest.gz | Bin 28424 -> 28428 bytes sec-keys/openpgp-keys-gentoo-developers/Manifest | 2 + .../openpgp-keys-gentoo-developers-20250203.ebuild | 236 +++++++++++++++++++++ 3 files changed, 238 insertions(+) create mode 100644 sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20250203.ebuild (limited to 'sec-keys') diff --git a/sec-keys/Manifest.gz b/sec-keys/Manifest.gz index b5bf493830b7..1d65b9cd0a67 100644 Binary files a/sec-keys/Manifest.gz and b/sec-keys/Manifest.gz differ diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest index e2e1647f505a..47426ee92423 100644 --- a/sec-keys/openpgp-keys-gentoo-developers/Manifest +++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest @@ -1,7 +1,9 @@ AUX keyring-mangler.py 3198 BLAKE2B 5aafad0b9927916107d99a75177dc9b8e0612c3cb5021c1748e4113576d20006bc883f75d73e7640e289b600095bed7e3d2caa9e405f59d2a26eef4beb9df84e SHA512 4dadd08748b9ed732de30c6d8f3ccc9d428bf392d87619aa492e7cf7daddec9ed9e2387adb48fd62242094bb7a3b79fc42184bf887cf4a4f62d93060f505bf1b DIST openpgp-keys-gentoo-developers-20240422-active-devs.gpg 3204733 BLAKE2B b761e0f3f281545748eb8719b3ddd8eb55444090749218a579a94fddfafc735e3d36461662699fb1081fa70913d4449e51460f83d6ad10206c64ccdd313578e6 SHA512 b83232b2ed135bec63b5437aa49812b620de2de4d77874bc19b6d3caf2d7c0d295d58583b1cdc706ddc4e6d415c3391e6c6d1dc68b48556c865f36670575affe DIST openpgp-keys-gentoo-developers-20240708-active-devs.gpg 3122417 BLAKE2B f1a1727be347f66b9114f55dba31ed461785a5e8c633415896bb072fd5a6239db526e68d0ac3423e7cd6336a23542c9e48a02f36e18f83f0c7bd177ffd1fb1f8 SHA512 02626833edfb7ff943b96f8885df22ca24cec1a0ea7c9d23d702deb79b921bbe8fb8640d3f2275ffc413924b8f8a079a277b155157a142f519298e3771513f9e +DIST openpgp-keys-gentoo-developers-20250203-active-devs.gpg 3039938 BLAKE2B 0e86800542f4f635266e1ffc15c243824bfc6e4ac1d0cf7d8bcf7b94dc5b0ed8fbefdc9171dacedca771ea6234c5229abd446156ce3a4e9c1260071241f78f37 SHA512 268e2af61852c24e57ab87153116e87ca1044a64c488054574507ec4f973b7389cd668fd59f1b93c6d09345bd6efc0b92ad58f4e63d19356aff24b307733c9f6 EBUILD openpgp-keys-gentoo-developers-20240422.ebuild 7705 BLAKE2B 65ce65cccfb7b299ebba63540d494e2ffab499096da2e2d615386edd04621b663862c8a05db3516b94ebde2fda04e44811c56848db6efae5ee4806139c96953d SHA512 7fd7f202865af947ece386f4470d126ecc0b598940a6047a7273ccb4ae14d1651b00fa86749aaab68391b4d14538bd90670bf040cd70781c93cf032260e8b4b4 EBUILD openpgp-keys-gentoo-developers-20240708.ebuild 7705 BLAKE2B 11e68b9183c5538e52e8d6d6ef18e8b5c05b43a2b21f4b0235577d5aa354de23b0779c0f7b0df67fb7082bbc40f5b904da84c3405687f7dbbd9d5fef38ca7cd9 SHA512 b7bfa101b1d53776632a831980e027119fbac015e170f0177c042539723180db1d627a3e7bedddc914551616401b507e8dc10c50112332f3017d0ead27b1068d +EBUILD openpgp-keys-gentoo-developers-20250203.ebuild 7705 BLAKE2B 579db0cdbb476f879c783cad8ada988ce79ec64b923ff89a4dff57f49c9be7e2f346f557e0e51bb1b3544189e094fa679be9fc17d1c7b99675aca4afff75173a SHA512 15b9eca4f37b400447aced572dd859613b844b3d4ff441058b476823f6306ca20a98f07aec1278cfd572fcd8b329c8d5a3bdc02ffed4e6b935c4f95e6ffb78a7 EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7713 BLAKE2B 241e4c4788ccfe3b22b6714fbb120da571fc518510dee14ca71e3ea50cc1a4c175c85d6c9c6bff6f8f06f3a105033ddbdf2ee3ae4cf039426d6981445f5659be SHA512 b27b4edce57a86aeb9dea35ceeac4d370b730a2364ea249c0ba3cd9cfe6e42260de31b4e6539289503822a6be993ce367ba8a1b6b017c5b688b4622ce4ca1d4a MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056 diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20250203.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20250203.ebuild new file mode 100644 index 000000000000..feb9232b2038 --- /dev/null +++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20250203.ebuild @@ -0,0 +1,236 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +PYTHON_COMPAT=( python3_{10..13} ) +inherit edo python-any-r1 + +DESCRIPTION="Gentoo Authority Keys (GLEP 79)" +HOMEPAGE="https://www.gentoo.org/downloads/signatures/" +if [[ ${PV} == 9999* ]] ; then + PROPERTIES="live" + + BDEPEND="net-misc/curl" +else + SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg" + KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv sparc x86" +fi + +S="${WORKDIR}" + +LICENSE="public-domain" +SLOT="0" +IUSE="test" +RESTRICT="!test? ( test )" + +BDEPEND+=" + $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]') + >=sec-keys/openpgp-keys-gentoo-auth-20240703 + test? ( + app-crypt/gnupg + sys-apps/grep[pcre] + ) +" + +python_check_deps() { + python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]" +} + +src_unpack() { + if [[ ${PV} == 9999* ]] ; then + curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die + else + default + fi +} + +src_compile() { + export GNUPGHOME="${T}"/.gnupg + + get_gpg_keyring_dir() { + if [[ ${PV} == 9999* ]] ; then + echo "${WORKDIR}" + else + echo "${DISTDIR}" + fi + } + + local mygpgargs=( + --no-autostart + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + mkdir "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + + # Convert the binary keyring into an armored one so we can process it + edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg + edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc + + # Now strip out the keys which are expired and/or missing a signature + # from our L2 developer authority key + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${WORKDIR}"/gentoo-developers.asc \ + "${WORKDIR}"/gentoo-developers-sanitised.asc +} + +src_test() { + export GNUPGHOME="${T}"/tests/.gnupg + + local mygpgargs=( + # We don't have --no-autostart here because we need + # to let it spawn an agent for the key generation. + --no-default-keyring + --homedir "${GNUPGHOME}" + ) + + # From verify-sig.eclass: + # "GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME." + addpredict /run/user + + # Check each of the keys to verify they're trusted by + # the L2 developer key. + mkdir -p "${GNUPGHOME}" || die + chmod 700 "${GNUPGHOME}" || die + cd "${T}"/tests || die + + # First, grab the L1 key, and mark it as ultimately trusted. + edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc + edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt + + # Generate a temporary key which isn't signed by anything to check + # whether we're detecting unexpected keys. + # + # The test is whether this appears in the sanitised keyring we + # produce in src_compile (it should not be in there). + # + # https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html + edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF + %echo Generating temporary key for testing... + + %no-protection + %transient-key + %pubring ${P}-ebuild-test-key.asc + + Key-Type: 1 + Key-Length: 2048 + Subkey-Type: 1 + Subkey-Length: 2048 + Name-Real: Larry The Cow + Name-Email: larry@example.com + Expire-Date: 0 + Handle: ${P}-ebuild-test-key + + %commit + %echo Temporary key generated! + EOF + + # Import the new injected key that shouldn't be signed by anything into a temporary testing keyring + edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc + + # Sign a tiny file with the to-be-injected key for testing rejection below + echo "Hello world!" > "${T}"/tests/signme || die + edo gpg "${mygpgargs[@]}" -u "Larry The Cow " --sign "${T}"/tests/signme || die + + # keyring-mangler will fail with no valid keys so import the sanitised list from src_compile. + edo gpg "${mygpgargs[@]}" --import "${WORKDIR}"/gentoo-developers-sanitised.asc + + edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc + + # keyring-mangler.py should now produce a keyring *without* it + edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \ + "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \ + "${T}"/tests/tainted-keyring.asc \ + "${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log + assert "Key mangling in tests failed?" + + # Check the log to verify the injected key got detected + grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!" + + # gnupg doesn't have an easy way for us to actually just.. ask + # if a key is known via WoT. So, sign a file using the key + # we just made, and then try to gpg --verify it, and check exit code. + # + # Let's now double check by seeing if a file signed by the injected key + # is rejected. + if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then + die "'gpg --verify' using injected test key succeeded! This shouldn't happen!" + fi + + # Bonus lame sanity check + edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log + assert "trustdb call failed!" + + check_trust_levels() { + local mode=${1} + + while IFS= read -r line; do + # gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u + # gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u + if [[ ${line} == *depth* ]] ; then + depth=$(echo ${line} | grep -Po "depth: [0-9]") + trust=$(echo ${line} | grep -Po "trust:.*") + + trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-") + [[ ${trust_uncalculated} == 0 ]] || ${mode} + + trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q") + [[ ${trust_insufficient} == 0 ]] || ${mode} + + trust_never=$(echo ${trust} | grep -Po "[0-9]n") + [[ ${trust_never} == 0 ]] || ${mode} + + trust_marginal=$(echo ${trust} | grep -Po "[0-9]m") + [[ ${trust_marginal} == 0 ]] || ${mode} + + trust_full=$(echo ${trust} | grep -Po "[0-9]f") + [[ ${trust_full} != 0 ]] || ${mode} + + trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u") + [[ ${trust_ultimate} == 1 ]] || ${mode} + + echo "${trust_uncalculated}, ${trust_insufficient}" + fi + done < "${T}"/tests/trustdb.log + } + + # First, check with the bad key still in the test keyring. + # This is supposed to fail, so we want it to return 1 + check_trust_levels "return 1" && die "Trustdb passed when it should have failed!" + + # Now check without the bad key in the test keyring. + # This one should pass. + # + # Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint) + keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow " \ + | grep "^fpr" \ + | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p') + + local key + for key in ${keys[@]} ; do + nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key} + done + + edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow " + check_trust_levels "return 0" || die "Trustdb failed when it should have passed!" + + gpgconf --kill gpg-agent || die +} + +src_install() { + insinto /usr/share/openpgp-keys + newins gentoo-developers-sanitised.asc gentoo-developers.asc + + # TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth? +} -- cgit v1.2.3