v2 changes:
- add src_test
- add support for gentoo keyserver
- fix small typo in handling multiple sources
- remove outdated die based on review
Eli Schwartz (2):
sec-keys.eclass: new eclass
sec-keys/openpgp-keys-gnutls: update to use sec-keys.eclass
eclass/sec-keys.eclass | 197 ++++++++++++++++++
sec-keys/openpgp-keys-gnutls/Manifest | 1 +
.../openpgp-keys-gnutls-20240415-r1.ebuild | 22 ++
3 files changed, 220 insertions(+)
create mode 100644 eclass/sec-keys.eclass
create mode 100644
sec-keys/openpgp-keys-gnutls/openpgp-keys-gnutls-20240415-r1.ebuild
Range-diff against v1:
1: 02c47372ec21 ! 1: 6777dbb541bf sec-keys.eclass: new eclass
@@ Commit message
ebuild.
Key rotations, both expected and malicious, are easily detected by
- checking the git log for changes to declared finterprints in a bump.
The
+ checking the git log for changes to declared fingerprints in a bump.
The
former can be rationalized in the commit message. So can the latter,
but
in most cases those will be rejected during peer review.
@@ eclass/sec-keys.eclass (new)
+#
+# @CODE
+# SEC_KEYS_VALIDPGPKEYS=(
-+# '4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github'
++# # implicit Ubuntu
++# '3DB7F3CA6C1D90B99FE25B38D4B476A4D175C54F:bjones:'
++# '4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github,openpgp'
++# # key only available on personal website, use manual SRC_URI
++# '5FD9B5EC8E3F12D11BA47D50F6D698C6F397D76B:awhite:none'
+# )
+#
+# inherit sec-keys
++#
++# SRC_URI+="https://awhite.com/awhite.gpg -> awhite-${PV}.gpg"
+# @CODE
+
+case ${EAPI} in
@@ eclass/sec-keys.eclass (new)
+# Mapping of fingerprints, name, and optional location of PGP keys to
include,
+# separated by colons. The allowed values for a location are:
+#
++# - gentoo -- fetch key by fingerprint from https://keys.gentoo.org
++#
+# - github -- fetch key from github.com/${name}.pgp
+#
+# - openpgp -- fetch key by fingerprint from https://keys.openpgp.org
@@ eclass/sec-keys.eclass (new)
+ for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do
+ fingerprint=${key%%:*}
+ name=${key#${fingerprint}:}; name=${name%%:*}
-+ IFS=: read -r -a locations <<<"${key##*:}"
++ IFS=, read -r -a locations <<<"${key##*:}"
+ [[ ${locations[@]} ]] || locations=(ubuntu)
+ for loc in "${locations[@]}"; do
+ case ${loc} in
++ gentoo)
remote="https://keys.gentoo.org/pks/lookup?op=get&search=0x${fingerprint}";;;
+ github)
remote="https://github.com/${name}.gpg";;;
+ openpgp)
remote="https://keys.openpgp.org/vks/v1/by-fingerprint/${fingerprint}";;;
+ ubuntu)
remote="https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${fingerprint}";;;
@@ eclass/sec-keys.eclass (new)
+_sec_keys_set_globals
+unset -f _sec_keys_set_globals
+
-+BDEPEND="app-crypt/gnupg"
++IUSE="test"
++PROPERTIES="test_network"
++RESTRICT="test"
++
++BDEPEND="
++ app-crypt/gnupg
++ test? ( app-crypt/pgpdump )
++"
+S=${WORKDIR}
+
+LICENSE="public-domain"
@@ eclass/sec-keys.eclass (new)
+ fi
+}
+
++
++sec-keys_src_test() {
++ local -x GNUPGHOME=${WORKDIR}/gnupg
++ local key fingerprint name server
++ local gpg_command=(gpg --export-options export-minimal)
++
++ for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
++ "${gpg_command[@]}" --export "${fingerprint}" | pgpdump >
"${fingerprint}.pgpdump" || die
++ done
++
++ # Best-effort attempt to check for updates. keyservers can and usually
do
++ # fail for weird reasons, (such as being unable to import a key without
a
++ # uid) as well as normal reasons, like the key being exclusive to a
++ # different keyserver. this isn't a reason to fail src_test.
++ for server in keys.gentoo.org keys.openpgp.org keyserver.ubuntu.com; do
++ gpg --refresh-keys --keyserver "hkps://${server}"
++ done
++ for key in "${SEC_KEYS_VALIDPGPKEYS[@]}"; do
++ if [[ ${key##*:} = *github* ]]; then
++ name=${key#*:}; name=${name%%:*}
++ wget -qO- https://github.com/${name}.gpg | gpg --import
|| die
++ fi
++ done
++
++ for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
++ "${gpg_command[@]}" --export "${fingerprint}" | pgpdump >
"${fingerprint}.pgpdump.new" || die
++ diff -u "${fingerprint}.pgpdump" "${fingerprint}.pgpdump.new"
|| die "updates available for PGP key: ${fingerprint}"
++ done
++
++}
++
+# @FUNCTION: sec-keys_src_install
+# @DESCRIPTION:
+# Default src_install override that minifies and exports all PGP public
keys
@@ eclass/sec-keys.eclass (new)
+ for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do
+ local uids=()
+ mapfile -t uids < <("${gpg_command[@]}" --list-key
--with-colons ${fingerprint} | awk -F: '/^uid/{print $10}' || die)
-+ edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export
--armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc || die
++ edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export
--armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc
+ done
+
+ insinto /usr/share/openpgp-keys
@@ eclass/sec-keys.eclass (new)
+
+fi
+
-+EXPORT_FUNCTIONS src_compile src_install
++EXPORT_FUNCTIONS src_compile src_test src_install
2: 0060997db9cb = 2: 2f78bceaed3b sec-keys/openpgp-keys-gnutls: update to use
sec-keys.eclass
--
2.45.2
