From fa78c918d026c911c1bcd700b1d1000aaff22359 Mon Sep 17 00:00:00 2001
From: V3n3RiX <venerix@koprulu.sector>
Date: Sat, 3 Sep 2022 04:17:52 +0100
Subject: gentoo auto-resync : 03:09:2022 - 04:17:52

---
 sec-keys/Manifest.gz                               | Bin 16125 -> 16130 bytes
 sec-keys/openpgp-keys-gentoo-developers/Manifest   |   9 +-
 .../openpgp-keys-gentoo-developers-20220711.ebuild | 214 -------------------
 .../openpgp-keys-gentoo-developers-20220718.ebuild | 214 -------------------
 .../openpgp-keys-gentoo-developers-20220830.ebuild | 231 +++++++++++++++++++++
 .../openpgp-keys-gentoo-developers-99999999.ebuild |  25 ++-
 6 files changed, 255 insertions(+), 438 deletions(-)
 delete mode 100644 sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild
 delete mode 100644 sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild
 create mode 100644 sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220830.ebuild

(limited to 'sec-keys')

diff --git a/sec-keys/Manifest.gz b/sec-keys/Manifest.gz
index 235b3b07b4b0..2093efa7c511 100644
Binary files a/sec-keys/Manifest.gz and b/sec-keys/Manifest.gz differ
diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest b/sec-keys/openpgp-keys-gentoo-developers/Manifest
index d056cb37c3c5..720ff6f6822a 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest
+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest
@@ -1,8 +1,5 @@
 AUX keyring-mangler.py 3005 BLAKE2B e5435432b79156c26120af950f46f9a916af7261a78b40081eb140e18b3fd4f0d2ce55cd2ed305bdd4f60b569edfb513c1151a6255838a750d37225715e87e4f SHA512 bd4dc3dee66c0f0b8b657da1fabfbda96ea03b77d1080fa1d07b14d2a9571fe91f7589131893b75548122e772678760c7722fd8a46e120c40d8dbb8cb4341dc9
-DIST openpgp-keys-gentoo-developers-20220711-active-devs.gpg 3237775 BLAKE2B 511e4ea8907593b5ed05c79a0bf6ae131856f0511f3f6a744f393a077ad25fe3f6780caac60d4f94965d4c0aa14debae068599f50920caeaad44303a844bf7ed SHA512 c0122037a3bfde1eec0c3ca7a303ff82f532c518427b34814c12949572c18537f617db22563c15d40fd41f0c94e6c50bcd3e0d3d7d1175400057aafbe41ae2b2
-DIST openpgp-keys-gentoo-developers-20220718-active-devs.gpg 3238135 BLAKE2B a500165c89d28d1aef314ef10e639efe5b354cb39cca2c0565b43b55c580eed26d74be1d45b3be3d55d7879f25282d367cca6e04423df59191b7eedfcc1def88 SHA512 e51afcb31f81ee8596c9b2393fae41d8c67fc363d71f91296195369a428371e6151b81fd57a0cff382ad3493e57b6527126abedcdbc72b32f1bd5b2021e029eb
-DIST openpgp-keys-gentoo-developers-99999999-active-devs.gpg 3238135 BLAKE2B a500165c89d28d1aef314ef10e639efe5b354cb39cca2c0565b43b55c580eed26d74be1d45b3be3d55d7879f25282d367cca6e04423df59191b7eedfcc1def88 SHA512 e51afcb31f81ee8596c9b2393fae41d8c67fc363d71f91296195369a428371e6151b81fd57a0cff382ad3493e57b6527126abedcdbc72b32f1bd5b2021e029eb
-EBUILD openpgp-keys-gentoo-developers-20220711.ebuild 7250 BLAKE2B 4e1a2d11e880c008e0d52c8677403f646bb883177e9b46f6acf0ee9eedc02fb556bc8769154ab1bf2c7819fa698ab2b23492b0984af738bf8c6c11e1d4dee325 SHA512 369a181fcf1dc1a07a2250c0e023a4572dc79e46b28a9b9ce20c64891d40066dc584fb89f0efb11927971e7635d1ead5a9bc9acb605d61347dc6fbd7a3ccaa6b
-EBUILD openpgp-keys-gentoo-developers-20220718.ebuild 7250 BLAKE2B 4e1a2d11e880c008e0d52c8677403f646bb883177e9b46f6acf0ee9eedc02fb556bc8769154ab1bf2c7819fa698ab2b23492b0984af738bf8c6c11e1d4dee325 SHA512 369a181fcf1dc1a07a2250c0e023a4572dc79e46b28a9b9ce20c64891d40066dc584fb89f0efb11927971e7635d1ead5a9bc9acb605d61347dc6fbd7a3ccaa6b
-EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7275 BLAKE2B c23960a12c13cc5d404dc225c11e840cc9214b4632418441ab4822d1040ed381efe3de3acbd68554249d8061d8b1e8342a786bcf76969bd2aa87933a49397cfc SHA512 4c0051b7850b38d1fd7449d276262004ee55fddabd70547c2a355f47a419beb97a12a462ab555c2fba9e5b96412ac01bfea020a0decb8b2cdc805150fad4ae37
+DIST openpgp-keys-gentoo-developers-20220830-active-devs.gpg 3234718 BLAKE2B 80753222b4d2febf0d8568503d646e0258410010eefa35ea3914f5979ea05f12634676212df392f5ddbb153899cd7452ee89d412bea9de8e67abf93243444fa8 SHA512 2676fe541cdad8755f745ebd24badd7b4193bdff71f478f2442fea84e1e07b060564d437ce642b01a37ba8086a8177a84c32abf3dd794be8e587e1740bed2af2
+EBUILD openpgp-keys-gentoo-developers-20220830.ebuild 7478 BLAKE2B 2cf9f4724f45fe96f948b3ec06ad00ac8f0c3067d0b029715074587f1a7be32ec29d3246704169fd8159969376b3e0a32e9771da7fae2990f9445de235ff856f SHA512 bc95b6ddfe56a9a8e83d47f9282beb4e65dc84117b2387e7159731a7761bd9e0bfd5396ff3b37e445f1170a79c1c187a1525e506ab13418a30188e0859565d10
+EBUILD openpgp-keys-gentoo-developers-99999999.ebuild 7478 BLAKE2B 2cf9f4724f45fe96f948b3ec06ad00ac8f0c3067d0b029715074587f1a7be32ec29d3246704169fd8159969376b3e0a32e9771da7fae2990f9445de235ff856f SHA512 bc95b6ddfe56a9a8e83d47f9282beb4e65dc84117b2387e7159731a7761bd9e0bfd5396ff3b37e445f1170a79c1c187a1525e506ab13418a30188e0859565d10
 MISC metadata.xml 264 BLAKE2B 630ac0044f623dc63de725aae23da036b649a2d65331c06fbe9eb66d18ad1a4d3fd804cdffc4703500662b01272063af346680d2550f2fb6a262d6acee8c6789 SHA512 3cf1981080b4a7634537d20a3e837fa802c52ae5ee750531cc4aa3f8478cda78579375602bc058abbd75f9393f9681b79603c3ddd9af809a1e72f7336a708056
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild
deleted file mode 100644
index 4ff65eaaea85..000000000000
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220711.ebuild
+++ /dev/null
@@ -1,214 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{9..11} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
-if [[ ${PV} == 9999* ]] ; then
-	SRC_URI="https://qa-reports.gentoo.org/output/active-devs.gpg -> ${P}-active-devs.gpg"
-	PROPERTIES="live"
-else
-	SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND="
-	$(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
-	sec-keys/openpgp-keys-gentoo-auth
-	test? (
-		app-crypt/gnupg
-	)
-"
-
-python_check_deps() {
-	python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_compile() {
-	export GNUPGHOME="${T}"/.gnupg
-
-	local mygpgargs=(
-		--no-autostart
-		--no-default-keyring
-		--homedir "${GNUPGHOME}"
-	)
-
-	# From verify-sig.eclass:
-	# "GPG upstream knows better than to follow the spec, so we can't
-	# override this directory.  However, there is a clean fallback
-	# to GNUPGHOME."
-	addpredict /run/user
-
-	mkdir "${GNUPGHOME}" || die
-	chmod 700 "${GNUPGHOME}" || die
-
-	# Convert the binary keyring into an armored one so we can process it
-	edo gpg "${mygpgargs[@]}" --import "${DISTDIR}"/${P}-active-devs.gpg
-	edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
-
-	# Now strip out the keys which are expired and/or missing a signature
-	# from our L2 developer authority key
-	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
-			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
-			"${WORKDIR}"/gentoo-developers.asc \
-			"${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
-	export GNUPGHOME="${T}"/tests/.gnupg
-
-	local mygpgargs=(
-		# We don't have --no-autostart here because we need
-		# to let it spawn an agent for the key generation.
-		--no-default-keyring
-		--homedir "${GNUPGHOME}"
-	)
-
-	# From verify-sig.eclass:
-	# "GPG upstream knows better than to follow the spec, so we can't
-	# override this directory.  However, there is a clean fallback
-	# to GNUPGHOME."
-	addpredict /run/user
-
-	# Check each of the keys to verify they're trusted by
-	# the L2 developer key.
-	mkdir -p "${GNUPGHOME}" || die
-	chmod 700 "${GNUPGHOME}" || die
-	cd "${T}"/tests || die
-
-	# First, grab the L1 key, and mark it as ultimately trusted.
-	edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
-	edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
-	# Generate a temporary key which isn't signed by anything to check
-	# whether we're detecting unexpected keys.
-	#
-	# The test is whether this appears in the sanitised keyring we
-	# produce in src_compile (it should not be in there).
-	#
-	# https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
-	edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
-		%echo Generating temporary key for testing...
-
-		%no-protection
-		%transient-key
-		%pubring ${P}-ebuild-test-key.asc
-
-		Key-Type: 1
-		Key-Length: 2048
-		Subkey-Type: 1
-		Subkey-Length: 2048
-		Name-Real: Larry The Cow
-		Name-Email: larry@example.com
-		Expire-Date: 0
-		Handle: ${P}-ebuild-test-key
-
-		%commit
-		%echo Temporary key generated!
-	EOF
-
-	# Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
-	edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
-	# Sign a tiny file with the to-be-injected key for testing rejection below
-	echo "Hello world!" > "${T}"/tests/signme || die
-	edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
-
-	edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
-
-	# keyring-mangler.py should now produce a keyring *without* it
-	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
-			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
-			"${T}"/tests/tainted-keyring.asc \
-			"${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
-	assert "Key mangling in tests failed?"
-
-	# Check the log to verify the injected key got detected
-	grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
-
-	# gnupg doesn't have an easy way for us to actually just.. ask
-	# if a key is known via WoT. So, sign a file using the key
-	# we just made, and then try to gpg --verify it, and check exit code.
-	#
-	# Let's now double check by seeing if a file signed by the injected key
-	# is rejected.
-	if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
-		die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
-	fi
-
-	# Bonus lame sanity check
-	edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
-	assert "trustdb call failed!"
-
-	check_trust_levels() {
-		local mode=${1}
-
-		while IFS= read -r line; do
-			# gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u
-			# gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
-			if [[ ${line} == *depth* ]] ; then
-				depth=$(echo ${line} | grep -Po "depth: [0-9]")
-				trust=$(echo ${line} | grep -Po "trust:.*")
-
-				trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
-				[[ ${trust_uncalculated} == 0 ]] || ${mode}
-
-				trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
-				[[ ${trust_insufficient} == 0 ]] || ${mode}
-
-				trust_never=$(echo ${trust} | grep -Po "[0-9]n")
-				[[ ${trust_never} == 0 ]] || ${mode}
-
-				trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
-				[[ ${trust_marginal} == 0 ]] || ${mode}
-
-				trust_full=$(echo ${trust} | grep -Po "[0-9]f")
-				[[ ${trust_full} != 0 ]] || ${mode}
-
-				trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
-				[[ ${trust_ultimate} == 1 ]] || ${mode}
-
-				echo "${trust_uncalculated}, ${trust_insufficient}"
-			fi
-		done < "${T}"/tests/trustdb.log
-	}
-
-	# First, check with the bad key still in the test keyring.
-	# This is supposed to fail, so we want it to return 1
-	check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
-
-	# Now check without the bad key in the test keyring.
-	# This one should pass.
-	#
-	# Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
-	keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
-		| grep "^fpr" \
-		| sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
-	for key in ${keys[@]} ; do
-		nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
-	done
-
-	edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
-	check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
-
-	gpgconf --kill gpg-agent || die
-}
-
-src_install() {
-	insinto /usr/share/openpgp-keys
-	newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
-	# TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild
deleted file mode 100644
index 4ff65eaaea85..000000000000
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220718.ebuild
+++ /dev/null
@@ -1,214 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{9..11} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
-if [[ ${PV} == 9999* ]] ; then
-	SRC_URI="https://qa-reports.gentoo.org/output/active-devs.gpg -> ${P}-active-devs.gpg"
-	PROPERTIES="live"
-else
-	SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND="
-	$(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
-	sec-keys/openpgp-keys-gentoo-auth
-	test? (
-		app-crypt/gnupg
-	)
-"
-
-python_check_deps() {
-	python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_compile() {
-	export GNUPGHOME="${T}"/.gnupg
-
-	local mygpgargs=(
-		--no-autostart
-		--no-default-keyring
-		--homedir "${GNUPGHOME}"
-	)
-
-	# From verify-sig.eclass:
-	# "GPG upstream knows better than to follow the spec, so we can't
-	# override this directory.  However, there is a clean fallback
-	# to GNUPGHOME."
-	addpredict /run/user
-
-	mkdir "${GNUPGHOME}" || die
-	chmod 700 "${GNUPGHOME}" || die
-
-	# Convert the binary keyring into an armored one so we can process it
-	edo gpg "${mygpgargs[@]}" --import "${DISTDIR}"/${P}-active-devs.gpg
-	edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
-
-	# Now strip out the keys which are expired and/or missing a signature
-	# from our L2 developer authority key
-	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
-			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
-			"${WORKDIR}"/gentoo-developers.asc \
-			"${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
-	export GNUPGHOME="${T}"/tests/.gnupg
-
-	local mygpgargs=(
-		# We don't have --no-autostart here because we need
-		# to let it spawn an agent for the key generation.
-		--no-default-keyring
-		--homedir "${GNUPGHOME}"
-	)
-
-	# From verify-sig.eclass:
-	# "GPG upstream knows better than to follow the spec, so we can't
-	# override this directory.  However, there is a clean fallback
-	# to GNUPGHOME."
-	addpredict /run/user
-
-	# Check each of the keys to verify they're trusted by
-	# the L2 developer key.
-	mkdir -p "${GNUPGHOME}" || die
-	chmod 700 "${GNUPGHOME}" || die
-	cd "${T}"/tests || die
-
-	# First, grab the L1 key, and mark it as ultimately trusted.
-	edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
-	edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
-	# Generate a temporary key which isn't signed by anything to check
-	# whether we're detecting unexpected keys.
-	#
-	# The test is whether this appears in the sanitised keyring we
-	# produce in src_compile (it should not be in there).
-	#
-	# https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
-	edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
-		%echo Generating temporary key for testing...
-
-		%no-protection
-		%transient-key
-		%pubring ${P}-ebuild-test-key.asc
-
-		Key-Type: 1
-		Key-Length: 2048
-		Subkey-Type: 1
-		Subkey-Length: 2048
-		Name-Real: Larry The Cow
-		Name-Email: larry@example.com
-		Expire-Date: 0
-		Handle: ${P}-ebuild-test-key
-
-		%commit
-		%echo Temporary key generated!
-	EOF
-
-	# Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
-	edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
-	# Sign a tiny file with the to-be-injected key for testing rejection below
-	echo "Hello world!" > "${T}"/tests/signme || die
-	edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
-
-	edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
-
-	# keyring-mangler.py should now produce a keyring *without* it
-	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
-			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
-			"${T}"/tests/tainted-keyring.asc \
-			"${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
-	assert "Key mangling in tests failed?"
-
-	# Check the log to verify the injected key got detected
-	grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
-
-	# gnupg doesn't have an easy way for us to actually just.. ask
-	# if a key is known via WoT. So, sign a file using the key
-	# we just made, and then try to gpg --verify it, and check exit code.
-	#
-	# Let's now double check by seeing if a file signed by the injected key
-	# is rejected.
-	if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
-		die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
-	fi
-
-	# Bonus lame sanity check
-	edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
-	assert "trustdb call failed!"
-
-	check_trust_levels() {
-		local mode=${1}
-
-		while IFS= read -r line; do
-			# gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u
-			# gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
-			if [[ ${line} == *depth* ]] ; then
-				depth=$(echo ${line} | grep -Po "depth: [0-9]")
-				trust=$(echo ${line} | grep -Po "trust:.*")
-
-				trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
-				[[ ${trust_uncalculated} == 0 ]] || ${mode}
-
-				trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
-				[[ ${trust_insufficient} == 0 ]] || ${mode}
-
-				trust_never=$(echo ${trust} | grep -Po "[0-9]n")
-				[[ ${trust_never} == 0 ]] || ${mode}
-
-				trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
-				[[ ${trust_marginal} == 0 ]] || ${mode}
-
-				trust_full=$(echo ${trust} | grep -Po "[0-9]f")
-				[[ ${trust_full} != 0 ]] || ${mode}
-
-				trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
-				[[ ${trust_ultimate} == 1 ]] || ${mode}
-
-				echo "${trust_uncalculated}, ${trust_insufficient}"
-			fi
-		done < "${T}"/tests/trustdb.log
-	}
-
-	# First, check with the bad key still in the test keyring.
-	# This is supposed to fail, so we want it to return 1
-	check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
-
-	# Now check without the bad key in the test keyring.
-	# This one should pass.
-	#
-	# Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
-	keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
-		| grep "^fpr" \
-		| sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
-	for key in ${keys[@]} ; do
-		nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
-	done
-
-	edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
-	check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
-
-	gpgconf --kill gpg-agent || die
-}
-
-src_install() {
-	insinto /usr/share/openpgp-keys
-	newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
-	# TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220830.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220830.ebuild
new file mode 100644
index 000000000000..a3505aa67f03
--- /dev/null
+++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20220830.ebuild
@@ -0,0 +1,231 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{9..11} )
+inherit edo python-any-r1
+
+DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
+HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
+if [[ ${PV} == 9999* ]] ; then
+	PROPERTIES="live"
+
+	BDEPEND="net-misc/curl"
+else
+	SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86"
+fi
+
+S="${WORKDIR}"
+
+LICENSE="public-domain"
+SLOT="0"
+IUSE="test"
+RESTRICT="!test? ( test )"
+
+BDEPEND+="
+	$(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
+	sec-keys/openpgp-keys-gentoo-auth
+	test? (
+		app-crypt/gnupg
+	)
+"
+
+python_check_deps() {
+	python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
+}
+
+src_unpack() {
+	if [[ ${PV} == 9999* ]] ; then
+		curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
+	else
+		default
+	fi
+}
+
+src_compile() {
+	export GNUPGHOME="${T}"/.gnupg
+
+	get_gpg_keyring_dir() {
+		if [[ ${PV} == 9999* ]] ; then
+			echo "${WORKDIR}"
+		else
+			echo "${DISTDIR}"
+		fi
+	}
+
+	local mygpgargs=(
+		--no-autostart
+		--no-default-keyring
+		--homedir "${GNUPGHOME}"
+	)
+
+	# From verify-sig.eclass:
+	# "GPG upstream knows better than to follow the spec, so we can't
+	# override this directory.  However, there is a clean fallback
+	# to GNUPGHOME."
+	addpredict /run/user
+
+	mkdir "${GNUPGHOME}" || die
+	chmod 700 "${GNUPGHOME}" || die
+
+	# Convert the binary keyring into an armored one so we can process it
+	edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
+	edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
+
+	# Now strip out the keys which are expired and/or missing a signature
+	# from our L2 developer authority key
+	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
+			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
+			"${WORKDIR}"/gentoo-developers.asc \
+			"${WORKDIR}"/gentoo-developers-sanitised.asc
+}
+
+src_test() {
+	export GNUPGHOME="${T}"/tests/.gnupg
+
+	local mygpgargs=(
+		# We don't have --no-autostart here because we need
+		# to let it spawn an agent for the key generation.
+		--no-default-keyring
+		--homedir "${GNUPGHOME}"
+	)
+
+	# From verify-sig.eclass:
+	# "GPG upstream knows better than to follow the spec, so we can't
+	# override this directory.  However, there is a clean fallback
+	# to GNUPGHOME."
+	addpredict /run/user
+
+	# Check each of the keys to verify they're trusted by
+	# the L2 developer key.
+	mkdir -p "${GNUPGHOME}" || die
+	chmod 700 "${GNUPGHOME}" || die
+	cd "${T}"/tests || die
+
+	# First, grab the L1 key, and mark it as ultimately trusted.
+	edo gpg "${mygpgargs[@]}" --import "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
+	edo gpg "${mygpgargs[@]}" --import-ownertrust "${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
+
+	# Generate a temporary key which isn't signed by anything to check
+	# whether we're detecting unexpected keys.
+	#
+	# The test is whether this appears in the sanitised keyring we
+	# produce in src_compile (it should not be in there).
+	#
+	# https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
+	edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
+		%echo Generating temporary key for testing...
+
+		%no-protection
+		%transient-key
+		%pubring ${P}-ebuild-test-key.asc
+
+		Key-Type: 1
+		Key-Length: 2048
+		Subkey-Type: 1
+		Subkey-Length: 2048
+		Name-Real: Larry The Cow
+		Name-Email: larry@example.com
+		Expire-Date: 0
+		Handle: ${P}-ebuild-test-key
+
+		%commit
+		%echo Temporary key generated!
+	EOF
+
+	# Import the new injected key that shouldn't be signed by anything into a temporary testing keyring
+	edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
+
+	# Sign a tiny file with the to-be-injected key for testing rejection below
+	echo "Hello world!" > "${T}"/tests/signme || die
+	edo gpg "${mygpgargs[@]}" -u "Larry The Cow <larry@example.com>" --sign "${T}"/tests/signme || die
+
+	edo gpg "${mygpgargs[@]}" --export --armor > "${T}"/tests/tainted-keyring.asc
+
+	# keyring-mangler.py should now produce a keyring *without* it
+	edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
+			"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
+			"${T}"/tests/tainted-keyring.asc \
+			"${T}"/tests/gentoo-developers-sanitised.asc | tee "${T}"/tests/keyring-mangler.log
+	assert "Key mangling in tests failed?"
+
+	# Check the log to verify the injected key got detected
+	grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log || die "Did not remove injected key from test keyring!"
+
+	# gnupg doesn't have an easy way for us to actually just.. ask
+	# if a key is known via WoT. So, sign a file using the key
+	# we just made, and then try to gpg --verify it, and check exit code.
+	#
+	# Let's now double check by seeing if a file signed by the injected key
+	# is rejected.
+	if gpg "${mygpgargs[@]}" --keyring "${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ; then
+		die "'gpg --verify' using injected test key succeeded! This shouldn't happen!"
+	fi
+
+	# Bonus lame sanity check
+	edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee "${T}"/tests/trustdb.log
+	assert "trustdb call failed!"
+
+	check_trust_levels() {
+		local mode=${1}
+
+		while IFS= read -r line; do
+			# gpg: depth: 0  valid:   1  signed:   2  trust: 0-, 0q, 0n, 0m, 0f, 1u
+			# gpg: depth: 1  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 2f, 0u
+			if [[ ${line} == *depth* ]] ; then
+				depth=$(echo ${line} | grep -Po "depth: [0-9]")
+				trust=$(echo ${line} | grep -Po "trust:.*")
+
+				trust_uncalculated=$(echo ${trust} | grep -Po "[0-9]-")
+				[[ ${trust_uncalculated} == 0 ]] || ${mode}
+
+				trust_insufficient=$(echo ${trust} | grep -Po "[0-9]q")
+				[[ ${trust_insufficient} == 0 ]] || ${mode}
+
+				trust_never=$(echo ${trust} | grep -Po "[0-9]n")
+				[[ ${trust_never} == 0 ]] || ${mode}
+
+				trust_marginal=$(echo ${trust} | grep -Po "[0-9]m")
+				[[ ${trust_marginal} == 0 ]] || ${mode}
+
+				trust_full=$(echo ${trust} | grep -Po "[0-9]f")
+				[[ ${trust_full} != 0 ]] || ${mode}
+
+				trust_ultimate=$(echo ${trust} | grep -Po "[0-9]u")
+				[[ ${trust_ultimate} == 1 ]] || ${mode}
+
+				echo "${trust_uncalculated}, ${trust_insufficient}"
+			fi
+		done < "${T}"/tests/trustdb.log
+	}
+
+	# First, check with the bad key still in the test keyring.
+	# This is supposed to fail, so we want it to return 1
+	check_trust_levels "return 1" && die "Trustdb passed when it should have failed!"
+
+	# Now check without the bad key in the test keyring.
+	# This one should pass.
+	#
+	# Drop the bad key first (https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
+	keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry The Cow <larry@example.com>" \
+		| grep "^fpr" \
+		| sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
+
+	for key in ${keys[@]} ; do
+		nonfatal edo gpg "${mygpgargs[@]}" --batch --yes --delete-secret-keys ${key}
+	done
+
+	edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow <larry@example.com>"
+	check_trust_levels "return 0" || die "Trustdb failed when it should have passed!"
+
+	gpgconf --kill gpg-agent || die
+}
+
+src_install() {
+	insinto /usr/share/openpgp-keys
+	newins gentoo-developers-sanitised.asc gentoo-developers.asc
+
+	# TODO: install an ownertrust file like sec-keys/openpgp-keys-gentoo-auth?
+}
diff --git a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild
index e1500e00b9e0..a3505aa67f03 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild
+++ b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-99999999.ebuild
@@ -9,11 +9,12 @@ inherit edo python-any-r1
 DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
 HOMEPAGE="https://www.gentoo.org/downloads/signatures/"
 if [[ ${PV} == 9999* ]] ; then
-	SRC_URI="https://qa-reports.gentoo.org/output/active-devs.gpg -> ${P}-active-devs.gpg"
 	PROPERTIES="live"
+
+	BDEPEND="net-misc/curl"
 else
 	SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg -> ${P}-active-devs.gpg"
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~x86"
 fi
 
 S="${WORKDIR}"
@@ -23,7 +24,7 @@ SLOT="0"
 IUSE="test"
 RESTRICT="!test? ( test )"
 
-BDEPEND="
+BDEPEND+="
 	$(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
 	sec-keys/openpgp-keys-gentoo-auth
 	test? (
@@ -35,9 +36,25 @@ python_check_deps() {
 	python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
 }
 
+src_unpack() {
+	if [[ ${PV} == 9999* ]] ; then
+		curl https://qa-reports.gentoo.org/output/active-devs.gpg -o ${P}-active-devs.gpg || die
+	else
+		default
+	fi
+}
+
 src_compile() {
 	export GNUPGHOME="${T}"/.gnupg
 
+	get_gpg_keyring_dir() {
+		if [[ ${PV} == 9999* ]] ; then
+			echo "${WORKDIR}"
+		else
+			echo "${DISTDIR}"
+		fi
+	}
+
 	local mygpgargs=(
 		--no-autostart
 		--no-default-keyring
@@ -54,7 +71,7 @@ src_compile() {
 	chmod 700 "${GNUPGHOME}" || die
 
 	# Convert the binary keyring into an armored one so we can process it
-	edo gpg "${mygpgargs[@]}" --import "${DISTDIR}"/${P}-active-devs.gpg
+	edo gpg "${mygpgargs[@]}" --import "$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
 	edo gpg "${mygpgargs[@]}" --export --armor > "${WORKDIR}"/gentoo-developers.asc
 
 	# Now strip out the keys which are expired and/or missing a signature
-- 
cgit v1.2.3