commit: 1b179fb11bdffce5d9e3f5e6433113f25569117e Author: Kerin Millar <kfm <AT> plushkava <DOT> net> AuthorDate: Sun Jun 15 14:46:01 2025 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Jun 16 01:16:53 2025 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=1b179fb1
emerge-webrsync: improve PGP verification method selection in handle_pgp_setup() Presently, the emerge-webrsync program contains the handle_pgp_setup() function. Its duty is to determine whether the user intends for GPG verification to be employed. I would describe it as being in a state of disrepair, for the following reasons. - the logic is not readily apparent at a glance - the comments have not kept pace with the code - the "sync-webrsync-verify-signature" repo attribute test is broken and defunct - the test for whether the program was launched by the webrsync module is broken - a user-hostile exception is issued in one particular instance This commit addresses these issues in the ways described herewith. Ensure that the --no-pgp-primacy option is granted primacy by testing for it first. Not only is this behavior conventional but it also allows for the broken "sync-webrsync-verify-signature" attribute handling code to be dropped outright. As of commit b39f9f8, the webrsync module makes a point of passing the option to emerge-webrsync where appropriate. In the case that "webrsync-gpg" is found to be present in FEATURES, refrain from incorrectly testing whether emerge-webrsync was invoked 'directly' by the user and, if so concluded, throwing a user-hostile exception. I had discerned a more reliable means of performing this test and considered whether the diagnostic might be improved. However, following a discussion with Sam, it was concluded that it would be simpler to drop the test. Consequently, a warning shall always be issued but never an exception thrown. For each branch that assigns a particular value to the 'WEBRSYNC_VERIFY_SIGNATURE' variable, ensure that the accompanying comment is as concisely helpful as possible. Remove a redundant pattern from a case statement on the basis that there is no circumstance under which 'WEBRSYNC_VERIFY_SIGNATURE' will have a value that cannot match [012] at that juncture. See-also: b39f9f819c34a7a67f2639acb4d4c17a1aa5df89 Bug: https://bugs.gentoo.org/940120 Bug: https://bugs.gentoo.org/945861 Signed-off-by: Kerin Millar <kfm <AT> plushkava.net> Signed-off-by: Sam James <sam <AT> gentoo.org> bin/emerge-webrsync | 48 +++++++++++++----------------------------------- 1 file changed, 13 insertions(+), 35 deletions(-) diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync index 62fd4c4555..9c9d561835 100755 --- a/bin/emerge-webrsync +++ b/bin/emerge-webrsync @@ -106,41 +106,22 @@ do_debug=0 keep=false handle_pgp_setup() { - # WEBRSYNC_VERIFY_SIGNATURE=0: disable PGP verification - # WEBRSYNC_VERIFY_SIGNATURE=1: use gemato for verification, fallback to regular gpg - # WEBRSYNC_VERIFY_SIGNATURE=2: use legacy FEATURES="webrsync-gpg" - WEBRSYNC_VERIFY_SIGNATURE=1 - - contains_word webrsync-gpg "${FEATURES}" - webrsync_gpg=$(( $? == 0 )) - - repo_has_webrsync_verify=$( - has $(__repo_attr "${repo_name}" sync-webrsync-verify-signature | LC_ALL=C tr '[:upper:]' '[:lower:]') true yes - ) - - if [[ -n ${PORTAGE_TEMP_GPG_DIR} ]] || [[ ${repo_has_webrsync_verify} -eq 1 ]]; then - # If FEATURES=webrsync-gpg is enabled then allow direct emerge-webrsync - # calls for backward compatibility (this triggers a deprecation warning - # above). Since direct emerge-webrsync calls do not use gemato for secure - # key refresh, this behavior will not be supported in a future release. - if [[ ! ( -d ${PORTAGE_GPG_DIR} && ${webrsync_gpg} -eq 1 ) && -z ${PORTAGE_TEMP_GPG_DIR} ]]; then - die "Do not call ${argv0##*/} directly, instead call emerge --sync or emaint sync." - fi - - # Use gemato for the standard Portage-calling-us case w/ sync-type='webrsync'. - WEBRSYNC_VERIFY_SIGNATURE=1 - elif [[ ${webrsync_gpg} -eq 1 ]]; then - # We only warn if FEATURES="webrsync-gpg" is in make.conf, not if - # Portage is calling us for 'sync-type=webrsync' with verification, because - # that path uses gemato now (plus the user can't help it, obviously). + if [[ ${no_pgp_verify} ]]; then + # Disable PGP verification. The webrsync module specifies this + # option if the "sync-webrsync-verify-signature" repo attribute + # is explicitly defined with a value of "false". + WEBRSYNC_VERIFY_SIGNATURE=0 + elif contains_word webrsync-gpg "${FEATURES}"; then + # Discourage the use of the deprecated "webrsync-gpg" feature + # because it prevents the use of gemato for verification. ewarn "FEATURES=webrsync-gpg is deprecated, see the make.conf(5) man page." WEBRSYNC_VERIFY_SIGNATURE=2 - elif [[ -n ${no_pgp_verify} ]]; then - WEBRSYNC_VERIFY_SIGNATURE=0 else - # The default at the beginning of handle_pgp_setup is WEBRSYNC_VERIFY_SIGNATURE=1 - # i.e. gemato. - :; + # Try to use gemato for PGP verification. If missing, fall + # back to conventional verification with gpg(1). The former + # approach is preferred because it handles key refresh and + # revocation, and guarantees a clean operating environment. + WEBRSYNC_VERIFY_SIGNATURE=1 fi case "${WEBRSYNC_VERIFY_SIGNATURE}" in @@ -153,9 +134,6 @@ handle_pgp_setup() { 2) ewarn "PGP verification method: legacy gpg path" ;; - *) - die "Unknown WEBRSYNC_VERIFY_SIGNATURE state: \${WEBRSYNC_VERIFY_SIGNATURE}=${WEBRSYNC_VERIFY_SIGNATURE}" - ;; esac if [[ -n ${PORTAGE_TEMP_GPG_DIR} ]]; then
