diff options
| author |   Robin H. Johnson <robbat2@gentoo.org> | 2023-12-04 22:03:29 -0800 |
|---|---|---|
| committer | Robin H. Johnson <robbat2@gentoo.org> | 2023-12-04 22:03:29 -0800 |
| commit | c43b5e05d424a12e4007c937318c3662751d3bac (patch) | |
| tree | b8ec745d9fdeaec555b557968be6fc71365af092 | |
| parent | update-02-gpg: improve trust chain check, but also workaround behavior bug (diff) | |
| download | githooks-c43b5e05d424a12e4007c937318c3662751d3bac.tar.gz githooks-c43b5e05d424a12e4007c937318c3662751d3bac.tar.bz2 githooks-c43b5e05d424a12e4007c937318c3662751d3bac.zip | |
local/update-02-gpg: fix commit verification trust chain for newer gitgithooks-20231205T060329Z
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
| -rwxr-xr-x | local/update-02-gpg | 54 |
1 files changed, 44 insertions, 10 deletions
diff --git a/local/update-02-gpg b/local/update-02-gpg index 79fbff4..b0dc1b1 100755 --- a/local/update-02-gpg +++ b/local/update-02-gpg @@ -57,28 +57,62 @@ case ${VERIFY_SIGS} in echo " Please update the keys into conformance if you wish to continue" >&2 echo " using them. If not, please remove unused keys from LDAP." >&2 fi + # create a dedicated GNUPGHOME TMPHOME=$(mktemp -d) trap 'rm -rf "${TMPHOME}"' EXIT + # transfer the keys: - # - ONLY for the developer in question - # - and chain to L1 - CHAIN=( - ABD00913019D6354BA1D9A132839FE0D796198B1 # openpgp-auth+l1@gentoo.org - 2C13823B8237310FA213034930D132FF0FF50EEB # openpgp-auth+l2-dev@gentoo.org - 18F703D702B1B9591373148C55D3238EC050396E # openpgp-auth+l2-srv@gentoo.org + # - ONLY for the developer/service in question + # - with chain to L1 + CHAIN_L1=( + ABD00913019D6354BA1D9A132839FE0D796198B1 # openpgp-auth+l1@gentoo.org + ) + CHAIN_L2=( + 2C13823B8237310FA213034930D132FF0FF50EEB # openpgp-auth+l2-dev@gentoo.org + 18F703D702B1B9591373148C55D3238EC050396E # openpgp-auth+l2-srv@gentoo.org ) - gpg -q --export "${GOOD_KEYS[@]}" | GNUPGHOME=${TMPHOME} gpg -q --import + EXPORT_CMD=( + gpg -q + --export-options export-clean,no-export-local-sigs,no-export-attributes + # keep-uid filter is not working in gnupg-2.4.3 or gnupg-2.2.41 + #--export-filter 'keep-uid="uid =~ @gentoo.org"' + --export + ) + IMPORT_CMD=( + gpg -q + # no-self-sigs-only is needed to import the signature chain. + --import-options import-clean,no-import-local-sigs,no-keep-ownertrust,no-self-sigs-only + # keep-uid filter is not working in gnupg-2.4.3 or gnupg-2.2.41 + #--import-filter 'keep-uid="uid =~ @gentoo.org"' + --import + ) + "${EXPORT_CMD[@]}" \ + "${CHAIN_L1[@]}" \ + "${CHAIN_L2[@]}" \ + "${GOOD_KEYS[@]}" \ + | \ + GNUPGHOME=${TMPHOME} \ + "${IMPORT_CMD[@]}" + # use new GNUGPHOME to restrict to dev's keys export GNUPGHOME=${TMPHOME} cat >>$GNUPGHOME/gpg.conf <<-EOF - # Workaround for chain trust issue - trust-model always + # Explicitly set trust model; + # git-2.43 does not recognize the always & direct trust model behavior + # so it exports that the signatures came from an untrusted key + trust-model pgp EOF - for _k in "${CHAIN[@]}" ; do + # And declare that the L1 key is trusted. + # This could go into the trustdb file instead, but cleaner this way. + for _k in "${CHAIN_L1[@]}" ; do echo "trusted-key $_k" >> $GNUPGHOME/gpg.conf done + + # If there are problems w/ the key export/import loop, or trust + # verification; dump here #GNUPGHOME=${TMPHOME} gpg --check-trustdb + #GNUPGHOME=${TMPHOME} gpg --list-sig ;; no) ;; |