aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobin H. Johnson <robbat2@gentoo.org>2023-12-04 22:03:29 -0800
committerRobin H. Johnson <robbat2@gentoo.org>2023-12-04 22:03:29 -0800
commitc43b5e05d424a12e4007c937318c3662751d3bac (patch)
treeb8ec745d9fdeaec555b557968be6fc71365af092
parentupdate-02-gpg: improve trust chain check, but also workaround behavior bug (diff)
downloadgithooks-c43b5e05d424a12e4007c937318c3662751d3bac.tar.gz
githooks-c43b5e05d424a12e4007c937318c3662751d3bac.tar.bz2
githooks-c43b5e05d424a12e4007c937318c3662751d3bac.zip
local/update-02-gpg: fix commit verification trust chain for newer gitgithooks-20231205T060329Z
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
-rwxr-xr-xlocal/update-02-gpg54
1 files changed, 44 insertions, 10 deletions
diff --git a/local/update-02-gpg b/local/update-02-gpg
index 79fbff4..b0dc1b1 100755
--- a/local/update-02-gpg
+++ b/local/update-02-gpg
@@ -57,28 +57,62 @@ case ${VERIFY_SIGS} in
echo " Please update the keys into conformance if you wish to continue" >&2
echo " using them. If not, please remove unused keys from LDAP." >&2
fi
+
# create a dedicated GNUPGHOME
TMPHOME=$(mktemp -d)
trap 'rm -rf "${TMPHOME}"' EXIT
+
# transfer the keys:
- # - ONLY for the developer in question
- # - and chain to L1
- CHAIN=(
- ABD00913019D6354BA1D9A132839FE0D796198B1 # openpgp-auth+l1@gentoo.org
- 2C13823B8237310FA213034930D132FF0FF50EEB # openpgp-auth+l2-dev@gentoo.org
- 18F703D702B1B9591373148C55D3238EC050396E # openpgp-auth+l2-srv@gentoo.org
+ # - ONLY for the developer/service in question
+ # - with chain to L1
+ CHAIN_L1=(
+ ABD00913019D6354BA1D9A132839FE0D796198B1 # openpgp-auth+l1@gentoo.org
+ )
+ CHAIN_L2=(
+ 2C13823B8237310FA213034930D132FF0FF50EEB # openpgp-auth+l2-dev@gentoo.org
+ 18F703D702B1B9591373148C55D3238EC050396E # openpgp-auth+l2-srv@gentoo.org
)
- gpg -q --export "${GOOD_KEYS[@]}" | GNUPGHOME=${TMPHOME} gpg -q --import
+ EXPORT_CMD=(
+ gpg -q
+ --export-options export-clean,no-export-local-sigs,no-export-attributes
+ # keep-uid filter is not working in gnupg-2.4.3 or gnupg-2.2.41
+ #--export-filter 'keep-uid="uid =~ @gentoo.org"'
+ --export
+ )
+ IMPORT_CMD=(
+ gpg -q
+ # no-self-sigs-only is needed to import the signature chain.
+ --import-options import-clean,no-import-local-sigs,no-keep-ownertrust,no-self-sigs-only
+ # keep-uid filter is not working in gnupg-2.4.3 or gnupg-2.2.41
+ #--import-filter 'keep-uid="uid =~ @gentoo.org"'
+ --import
+ )
+ "${EXPORT_CMD[@]}" \
+ "${CHAIN_L1[@]}" \
+ "${CHAIN_L2[@]}" \
+ "${GOOD_KEYS[@]}" \
+ | \
+ GNUPGHOME=${TMPHOME} \
+ "${IMPORT_CMD[@]}"
+
# use new GNUGPHOME to restrict to dev's keys
export GNUPGHOME=${TMPHOME}
cat >>$GNUPGHOME/gpg.conf <<-EOF
- # Workaround for chain trust issue
- trust-model always
+ # Explicitly set trust model;
+ # git-2.43 does not recognize the always & direct trust model behavior
+ # so it exports that the signatures came from an untrusted key
+ trust-model pgp
EOF
- for _k in "${CHAIN[@]}" ; do
+ # And declare that the L1 key is trusted.
+ # This could go into the trustdb file instead, but cleaner this way.
+ for _k in "${CHAIN_L1[@]}" ; do
echo "trusted-key $_k" >> $GNUPGHOME/gpg.conf
done
+
+ # If there are problems w/ the key export/import loop, or trust
+ # verification; dump here
#GNUPGHOME=${TMPHOME} gpg --check-trustdb
+ #GNUPGHOME=${TMPHOME} gpg --list-sig
;;
no)
;;