From 6c92853af8a7ca65fad19cb0f1a0ffaecec48fb7 Mon Sep 17 00:00:00 2001 From: Anthony Towns Date: Sun, 11 Mar 2007 01:24:49 +1000 Subject: [PATCH] Make GPGKeyring a list of keyrings; drop PGPKeyring. This allows for more than two keyrings to be used. --- config/debian-non-US/dak.conf | 6 ++++-- config/debian-security/dak.conf | 6 ++++-- config/debian/dak.conf | 6 ++++-- dak/import_archive.py | 4 ++-- dak/import_ldap_fingerprints.py | 10 ++++------ daklib/utils.py | 19 +++++++++++++------ docs/README.config | 10 ++++++---- 7 files changed, 37 insertions(+), 24 deletions(-) diff --git a/config/debian-non-US/dak.conf b/config/debian-non-US/dak.conf index 2c14c7db..be2527e5 100644 --- a/config/debian-non-US/dak.conf +++ b/config/debian-non-US/dak.conf @@ -1,7 +1,9 @@ Dinstall { - PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp"; - GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg"; + GPGKeyring { + "/org/keyring.debian.org/keyrings/debian-keyring.gpg"; + "/org/keyring.debian.org/keyrings/debian-keyring.pgp"; + }; SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg"; SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg"; SigningKeyIds "1DB114E0"; diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf index b146c637..0af66820 100644 --- a/config/debian-security/dak.conf +++ b/config/debian-security/dak.conf @@ -1,7 +1,9 @@ Dinstall { - PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp"; - GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg"; + GPGKeyring { + "/org/keyring.debian.org/keyrings/debian-keyring.gpg"; + "/org/keyring.debian.org/keyrings/debian-keyring.pgp"; + }; SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg"; SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg"; SigningKeyIds "2D230C5F"; diff --git a/config/debian/dak.conf b/config/debian/dak.conf index 047cf269..50390f5b 100644 --- a/config/debian/dak.conf +++ b/config/debian/dak.conf @@ -1,7 +1,9 @@ Dinstall { - PGPKeyring "/srv/keyring.debian.org/keyrings/debian-keyring.pgp"; - GPGKeyring "/srv/keyring.debian.org/keyrings/debian-keyring.gpg"; + GPGKeyrings { + "/srv/keyring.debian.org/keyrings/debian-keyring.gpg"; + "/srv/keyring.debian.org/keyrings/debian-keyring.pgp"; + }; SigningKeyring "/srv/ftp.debian.org/s3kr1t/dot-gnupg/secring.gpg"; SigningPubKeyring "/srv/ftp.debian.org/s3kr1t/dot-gnupg/pubring.gpg"; SigningKeyIds "6070D3A1"; diff --git a/dak/import_archive.py b/dak/import_archive.py index f064b4ae..34dc61bc 100755 --- a/dak/import_archive.py +++ b/dak/import_archive.py @@ -98,8 +98,8 @@ def check_signature (filename): return None status_read, status_write = os.pipe() - cmd = "gpgv --status-fd %s --keyring %s --keyring %s %s" \ - % (status_write, Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"], filename) + cmd = "gpgv --status-fd %s %s %s" \ + % (status_write, daklib.utils.gpg_keyring_args(), filename) (output, status, exit_status) = daklib.utils.gpgv_get_status_output(cmd, status_read, status_write) # Process the status-fd output diff --git a/dak/import_ldap_fingerprints.py b/dak/import_ldap_fingerprints.py index 4541c331..90e4108f 100755 --- a/dak/import_ldap_fingerprints.py +++ b/dak/import_ldap_fingerprints.py @@ -136,9 +136,8 @@ SELECT f.fingerprint, f.id, u.uid FROM fingerprint f, uid u WHERE f.uid = u.id q = projectB.query("SELECT fingerprint, id FROM fingerprint WHERE uid is null") for i in q.getresult(): (fingerprint, fingerprint_id) = i - cmd = "gpg --no-default-keyring --keyring=%s --keyring=%s --fingerprint %s" \ - % (Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"], - fingerprint) + cmd = "gpg --no-default-keyring %s --fingerprint %s" \ + % (gpg_keyring_args(), fingerprint) (result, output) = commands.getstatusoutput(cmd) if result == 0: m = re_gpg_fingerprint.search(output) @@ -156,9 +155,8 @@ SELECT f.fingerprint, f.id, u.uid FROM fingerprint f, uid u WHERE f.uid = u.id extra_keyrings = "" for keyring in Cnf.ValueList("Import-LDAP-Fingerprints::ExtraKeyrings"): extra_keyrings += " --keyring=%s" % (keyring) - cmd = "gpg --keyring=%s --keyring=%s %s --list-key %s" \ - % (Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"], - extra_keyrings, fingerprint) + cmd = "gpg %s %s --list-key %s" \ + % (gpg_keyring_args(), extra_keyrings, fingerprint) (result, output) = commands.getstatusoutput(cmd) if result != 0: cmd = "gpg --keyserver=%s --allow-non-selfsigned-uid --recv-key %s" % (Cnf["Import-LDAP-Fingerprints::KeyServer"], fingerprint) diff --git a/daklib/utils.py b/daklib/utils.py index 4e048d3c..9758fc97 100644 --- a/daklib/utils.py +++ b/daklib/utils.py @@ -904,7 +904,7 @@ on error.""" if not keyserver: keyserver = Cnf["Dinstall::KeyServer"] if not keyring: - keyring = Cnf["Dinstall::GPGKeyring"] + keyring = Cnf.ValueList("Dinstall::GPGKeyring")[0] # Ensure the filename contains no shell meta-characters or other badness if not re_taint_free.match(filename): @@ -939,6 +939,14 @@ on error.""" ################################################################################ +def gpg_keyring_args(keyrings=None) + if not keyrings: + keyrings = Cnf.ValueList("Dinstall::GPGKeyring") + + return " ".join(["--keyring %s" % x for x in keyrings]) + +################################################################################ + def check_signature (sig_filename, reject, data_filename="", keyrings=None, autofetch=None): """Check the signature of a file and return the fingerprint if the signature is valid or 'None' if it's not. The first argument is the @@ -963,7 +971,7 @@ used.""" return None if not keyrings: - keyrings = (Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"]) + keyrings = Cnf.ValueList("Dinstall::GPGKeyring") # Autofetch the signing key if that's enabled if autofetch == None: @@ -976,10 +984,9 @@ used.""" # Build the command line status_read, status_write = os.pipe(); - cmd = "gpgv --status-fd %s" % (status_write) - for keyring in keyrings: - cmd += " --keyring %s" % (keyring) - cmd += " %s %s" % (sig_filename, data_filename) + cmd = "gpgv --status-fd %s %s %s %s" % ( + status_write, gpg_keyring_args(keyrings), sig_filename, data_filename) + # Invoke gpgv on the file (output, status, exit_status) = gpgv_get_status_output(cmd, status_read, status_write) diff --git a/docs/README.config b/docs/README.config index 29749f65..c0e831f3 100644 --- a/docs/README.config +++ b/docs/README.config @@ -200,8 +200,10 @@ Mandatory. List of dinstall options, e.g.: | Dinstall | { -| PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp"; -| GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg"; +| GPGKeyring { +| "/org/keyring.debian.org/keyrings/debian-keyring.gpg"; +| "/org/keyring.debian.org/keyrings/debian-keyring.pgp"; +| }; | SigningKeyring "/org/ftp.debian.org/s3kr1t/dot-gnupg/secring.gpg"; | SendmailCommand "/usr/sbin/sendmail -odq -oi -t"; | MyEmailAddress "Debian Installer "; @@ -222,8 +224,8 @@ Mandatory. List of dinstall options, e.g.: | }; | }; -PGPKeyring and GPGKeyring (required): filenames of the PGP and GnuPG -keyrings to be used by dak respectively. +GPGKeyring (required): filenames of the PGP and GnuPG +keyrings to be used by dak. SigningKeyring (optional): this is the private keyring used by 'dak generate-releases'. -- 2.39.5