[linux] 01/02: genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Jan 7 03:30:34 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch master
in repository linux.
commit f5af248fc00dcb4e0d275b589268b564a6a5ef2d
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Jan 7 02:57:59 2017 +0000
genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez)
I changed the wrapper to call gpgv instead of gpg. It is much easier
and cleaner to use local configuration this way, and it won't produce
a warning that the key isn't trusted.
I also removed used of an environment variable, as we (currently) only
pass one keyring filename here.
---
debian/bin/genorig.py | 9 +++++++++
debian/bin/git-tag-gpg-wrapper | 33 +++++++++++++++++++++++++++++++++
debian/changelog | 1 +
debian/upstream/signing-key.pgp | Bin 0 -> 6867 bytes
4 files changed, 43 insertions(+)
diff --git a/debian/bin/genorig.py b/debian/bin/genorig.py
index c3a4eea..59f31a8 100755
--- a/debian/bin/genorig.py
+++ b/debian/bin/genorig.py
@@ -69,6 +69,15 @@ class Main(object):
def upstream_export(self, input_repo):
self.log("Exporting %s from %s\n" % (self.tag, input_repo))
+ gpg_wrapper = os.path.join(os.getcwd(),
+ "debian/bin/git-tag-gpg-wrapper")
+ verify_proc = subprocess.Popen(['git',
+ '-c', 'gpg.program=%s' % gpg_wrapper,
+ 'tag', '-v', self.tag],
+ cwd=input_repo)
+ if verify_proc.wait():
+ raise RuntimeError("GPG tag verification failed")
+
archive_proc = subprocess.Popen(['git', 'archive', '--format=tar',
'--prefix=%s/' % self.orig, self.tag],
cwd=input_repo,
diff --git a/debian/bin/git-tag-gpg-wrapper b/debian/bin/git-tag-gpg-wrapper
new file mode 100755
index 0000000..58e1750
--- /dev/null
+++ b/debian/bin/git-tag-gpg-wrapper
@@ -0,0 +1,33 @@
+#!/bin/bash -e
+
+# Instead of calling gpg, call gpgv and provide a local keyring
+
+debian_dir="$(readlink -f "$(dirname "$0")/..")"
+
+# Parse the expected options. If the next two lines are combined, a
+# failure of getopt won't cause the script to exit.
+ordered_args="$(getopt -n "$0" -o "" -l "status-fd:" -l "keyid-format:" -l "verify" -- "$@")"
+eval "set -- $ordered_args"
+gpgv_opts=()
+while true; do
+ case "$1" in
+ --status-fd)
+ gpgv_opts+=(--status-fd $2)
+ shift 2
+ ;;
+ --keyid-format)
+ # ignore
+ shift 2
+ ;;
+ --verify)
+ # ignore
+ shift 1
+ ;;
+ --)
+ shift 1
+ break
+ ;;
+ esac
+done
+
+exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@"
diff --git a/debian/changelog b/debian/changelog
index ec4575e..a2cffde 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -20,6 +20,7 @@ linux (4.9-1~exp1) UNRELEASED; urgency=medium
* Use debhelper compatibility level 9
* [arm64] Revert "arm64/mm: Limit TASK_SIZE_64 ..." and add breaks on
incompatible mozjs
+ * genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez)
[ Uwe Kleine-König ]
* enable `perf data' support; patch by Sebastian Andrzej Siewior
diff --git a/debian/upstream/signing-key.pgp b/debian/upstream/signing-key.pgp
new file mode 100644
index 0000000..f832486
Binary files /dev/null and b/debian/upstream/signing-key.pgp differ
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list