Merge pull request #603 from smira/improve-pgp-internal

Improve internal PGP provider
2026-06-04 05:10:40 +00:00 · 2017-07-31 20:57:43 +03:00
parent cafa82f018 e9b2c18e2f
commit 4cca7272ce
6 changed files with 82 additions and 9 deletions
@@ -41,7 +41,7 @@ check: system/env
 	else \
 		gometalinter --config=linter.json ./...; \
 	fi
-	. system/env/bin/activate && flake8 --max-line-length=200 --exclude=env/ system/
+	. system/env/bin/activate && flake8 --max-line-length=200 --exclude=system/env/ system/

 install:
 	go install -v -ldflags "-X main.Version=$(VERSION)"
@@ -108,13 +108,20 @@ func (g *GoSigner) Init() error {
 		return errors.Wrap(err, "error load secret keyring")
 	}

-	if len(g.secretKeyring) == 0 {
-		return fmt.Errorf("looks like there are no keys in gpg, please create one (official manual: http://www.gnupg.org/gph/en/manual.html)")
-	}
-
 	if g.keyRef == "" {
 		// no key reference, pick the first key
-		g.signer = g.secretKeyring[0]
+		for _, signer := range g.secretKeyring {
+			if !validEntity(signer) {
+				continue
+			}
+
+			g.signer = signer
+			break
+		}
+
+		if g.signer == nil {
+			return fmt.Errorf("looks like there are no keys in gpg, please create one (official manual: http://www.gnupg.org/gph/en/manual.html)")
+		}
 	} else {
 	pickKeyLoop:
 		for _, signer := range g.secretKeyring {
@@ -124,6 +131,10 @@ func (g *GoSigner) Init() error {
 				break
 			}

+			if !validEntity(signer) {
+				continue
+			}
+
 			for name := range signer.Identities {
 				if strings.Contains(name, g.keyRef) {
 					g.signer = signer
@@ -148,6 +159,12 @@ func (g *GoSigner) Init() error {
 			i++
 		}

+		fmt.Printf("openpgp: %s-bit %s key, ID %s, created %s\n",
+			keyBits(g.signer.PrimaryKey.PublicKey),
+			pubkeyAlgorithmName(g.signer.PrimaryKey.PubKeyAlgo),
+			KeyFromUint64(g.signer.PrimaryKey.KeyId),
+			g.signer.PrimaryKey.CreationTime.Format("2006-01-02"))
+
 		if g.passphrase == "" {
 			if g.batch {
 				return errors.New("key is locked with passphrase, but no passphrase was given in batch mode")
@@ -456,7 +473,7 @@ func loadKeyRing(name string, ignoreMissing bool) (openpgp.EntityList, error) {
 	if err != nil {
 		if os.IsNotExist(err) {
 			if !ignoreMissing {
-				fmt.Printf("opengpg: failure opening keyring '%s': %s", name, err)
+				fmt.Printf("opengpg: failure opening keyring '%s': %s\n", name, err)
 			}
 			return nil, nil
 		}
@@ -3,6 +3,9 @@ package pgp
 import (
 	"bytes"
 	"crypto"
+	"crypto/dsa"
+	"crypto/ecdsa"
+	"crypto/rsa"
 	"hash"
 	"io"
 	"strconv"
@@ -191,3 +194,50 @@ func pubkeyAlgorithmName(algorithm packet.PublicKeyAlgorithm) string {

 	return "unknown"
 }
+
+func keyBits(key interface{}) string {
+	switch k := key.(type) {
+	case *rsa.PublicKey:
+		return strconv.Itoa(k.N.BitLen())
+	case *dsa.PublicKey:
+		return strconv.Itoa(k.P.BitLen())
+	case *ecdsa.PublicKey:
+		return strconv.Itoa(k.Curve.Params().BitSize)
+	default:
+		return "?"
+	}
+}
+
+func validEntity(entity *openpgp.Entity) bool {
+	var selfSig *packet.Signature
+	for _, ident := range entity.Identities {
+		if selfSig == nil {
+			selfSig = ident.SelfSignature
+		} else if ident.SelfSignature.IsPrimaryId != nil && *ident.SelfSignature.IsPrimaryId {
+			selfSig = ident.SelfSignature
+			break
+		}
+	}
+
+	if selfSig == nil {
+		return false
+	}
+
+	if len(entity.Revocations) > 0 {
+		return false
+	}
+
+	if selfSig.RevocationReason != nil {
+		return false
+	}
+
+	if !selfSig.FlagsValid {
+		return false
+	}
+
+	if selfSig.KeyLifetimeSecs != nil && selfSig.CreationTime.Add(time.Duration(*selfSig.KeyLifetimeSecs)*time.Second).Before(time.Now()) {
+		return false
+	}
+
+	return true
+}
@@ -1,10 +1,11 @@
 opengpg: failure opening keyring '${HOME}/.gnupg/aptlytest.gpg': open ${HOME}/.gnupg/aptlytest.gpg: no such file or directory
+
 Looks like your keyring with trusted keys is empty. You might consider importing some keys.
 Downloading http://mirror.yandex.ru/debian-backports/dists/squeeze-backports/InRelease...
-openpgp: Signature made Sun, 13 Mar 2016 12:02:54 MSK using RSA key ID 8B48AD6246925553
+openpgp:  RSA key ID 8B48AD6246925553
 openpgp: Can't check signature: public key not found
 Downloading http://mirror.yandex.ru/debian-backports/dists/squeeze-backports/Release...
 Downloading http://mirror.yandex.ru/debian-backports/dists/squeeze-backports/Release.gpg...
-openpgp: Signature made Sun, 13 Mar 2016 12:02:54 MSK using RSA key ID 8B48AD6246925553
+openpgp:  RSA key ID 8B48AD6246925553
 openpgp: Can't check signature: public key not found
 ERROR: unable to fetch mirror: failed to verify detached signature: openpgp: signature made by unknown entity
@@ -1,4 +1,5 @@
 openpgp: Passphrase is required to unlock private key "Aptly Tester (don't use it) <test@aptly.info>"
+openpgp: 1024-bit DSA key, ID F30E8CB9CDDE2AF8, created
 Loading packages...
 Generating metadata files and linking package files...
 Finalizing metadata files...
@@ -1,6 +1,7 @@
 import os
 import hashlib
 import inspect
+import re
 import zlib
 from lib import BaseTest

@@ -747,6 +748,9 @@ class PublishRepo31Test(BaseTest):
    gold_processor = BaseTest.expand_environ
    configOverride = {"gpgProvider": "internal"}

+    def outputMatchPrepare(_, s):
+        return re.sub(r' \d{4}-\d{2}-\d{2}', '', s)
+
    def check(self):
        super(PublishRepo31Test, self).check()