mirror of
https://github.com/aptly-dev/aptly.git
synced 2026-01-12 03:21:33 +00:00
GPG may suddenly decide to re-validate its trustdb, resulting in any
call to `gpg` resulting in exit code 2. Don't allow GPG to validate trustdb when invoked in automated fashion.
This commit is contained in:
Andrey Smirnov
@@ -40,9 +40,9 @@ class PublishSnapshot1Test(BaseTest):
|
||||
self.check_file_contents('public/dists/maverick/Release', 'release', match_prepare=strip_processor)
|
||||
|
||||
# verify signatures
|
||||
self.run_cmd(["gpg", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
"--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/InRelease')])
|
||||
self.run_cmd(["gpg", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
"--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release.gpg'),
|
||||
os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release')])
|
||||
|
||||
@@ -402,9 +402,9 @@ class PublishSnapshot16Test(BaseTest):
|
||||
self.check_file_contents('public/dists/maverick/main/source/Sources', 'sources', match_prepare=lambda s: "\n".join(sorted(s.split("\n"))))
|
||||
|
||||
# verify signatures
|
||||
self.run_cmd(["gpg", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
"--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/InRelease')])
|
||||
self.run_cmd(["gpg", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
"--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release.gpg'),
|
||||
os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release')])
|
||||
|
||||
@@ -447,9 +447,9 @@ class PublishSnapshot17Test(BaseTest):
|
||||
self.check_file_contents('public/dists/maverick/main/binary-i386/Packages', 'binary', match_prepare=lambda s: "\n".join(sorted(s.split("\n"))))
|
||||
|
||||
# verify signatures
|
||||
self.run_cmd(["gpg", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
"--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/InRelease')])
|
||||
self.run_cmd(["gpg", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
self.run_cmd(["gpg", "--no-auto-check-trustdb", "--keyring", os.path.join(os.path.dirname(inspect.getsourcefile(BaseTest)), "files", "aptly.pub"),
|
||||
"--verify", os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release.gpg'),
|
||||
os.path.join(os.environ["HOME"], ".aptly", 'public/dists/maverick/Release')])
|
||||
|
||||
|
||||
10
utils/gpg.go
10
utils/gpg.go
@@ -54,7 +54,7 @@ func (g *GpgSigner) SetKeyRing(keyring, secretKeyring string) {
|
||||
func (g *GpgSigner) gpgArgs() []string {
|
||||
args := []string{}
|
||||
if g.keyring != "" {
|
||||
args = append(args, "--no-default-keyring", "--keyring", g.keyring)
|
||||
args = append(args, "--no-auto-check-trustdb", "--no-default-keyring", "--keyring", g.keyring)
|
||||
}
|
||||
if g.secretKeyring != "" {
|
||||
args = append(args, "--secret-keyring", g.secretKeyring)
|
||||
@@ -69,9 +69,9 @@ func (g *GpgSigner) gpgArgs() []string {
|
||||
|
||||
// Init verifies availability of gpg & presence of keys
|
||||
func (g *GpgSigner) Init() error {
|
||||
output, err := exec.Command("gpg", "--list-keys").Output()
|
||||
output, err := exec.Command("gpg", "--list-keys", "--dry-run", "--no-auto-check-trustdb").CombinedOutput()
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to execute gpg: %s (is gpg installed?)", err)
|
||||
return fmt.Errorf("unable to execute gpg: %s (is gpg installed?): %s", err, string(output))
|
||||
}
|
||||
|
||||
if g.keyring == "" && g.secretKeyring == "" && len(output) == 0 {
|
||||
@@ -122,7 +122,7 @@ func (g *GpgVerifier) InitKeyring() error {
|
||||
|
||||
if len(g.keyRings) == 0 {
|
||||
// using default keyring
|
||||
output, err := exec.Command("gpg", "--no-default-keyring", "--keyring", "trustedkeys.gpg", "--list-keys").Output()
|
||||
output, err := exec.Command("gpg", "--no-default-keyring", "--no-auto-check-trustdb", "--keyring", "trustedkeys.gpg", "--list-keys").Output()
|
||||
if err == nil && len(output) == 0 {
|
||||
fmt.Printf("\nLooks like your keyring with trusted keys is empty. You might consider importing some keys.\n")
|
||||
fmt.Printf("If you're running Debian or Ubuntu, it's a good idea to import current archive keys by running:\n\n")
|
||||
@@ -266,7 +266,7 @@ func (g *GpgVerifier) ExtractClearsigned(clearsigned io.Reader) (text *os.File,
|
||||
}
|
||||
defer os.Remove(text.Name())
|
||||
|
||||
args := []string{"--decrypt", "--batch", "--skip-verify", "--output", "-", clearf.Name()}
|
||||
args := []string{"--no-auto-check-trustdb", "--decrypt", "--batch", "--skip-verify", "--output", "-", clearf.Name()}
|
||||
|
||||
cmd := exec.Command("gpg", args...)
|
||||
stdout, err := cmd.StdoutPipe()
|
||||
|
||||
Reference in New Issue
Block a user