[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] signing rules
From: |
Harald Meland |
Subject: |
Re: [Gnu-arch-users] signing rules |
Date: |
Tue, 15 Mar 2005 00:24:20 +0100 |
User-agent: |
Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux) |
[David Allouche]
> That's mostly a wrapper that uses the quietify script.
[...]
> It's quite possible that this effect could have been achieved by
> passing the appropriate options to gpg, but at the time I was
> completely scared by this software.
I'm using something that provides the same functionality, but uses gpg
options to make it more silent:
=default.check
#!/bin/sh
exec $HOME/bin/tla-gpg-check "$@"
~/bin/tla-gpg-check
#!/local/bin/perl -w
use strict;
my $verbose = exists ($ENV{'GPG_VERBOSE'});
my $gpg_command = "gpg --verify-files";
unless ($verbose) {
$gpg_command .= " --logger-fd 3 3>/dev/null";
}
sub parse_checksum {
my ($maxlines) = @_;
my $revision = undef;
my @lines = ();
my $first_line_seen = 0;
my $last_line_seen = 0;
while (my $line = <STDIN>) {
die "Too many lines, limit=$maxlines.\n"
if @lines >= (defined ($maxlines) ? $maxlines : 512);
if ($line =~ m,^-----BEGIN PGP SIGNED MESSAGE-----$,) {
if ($first_line_seen) {
die "More than one 'BEGIN PGP' line.\n";
} else {
push (@lines, $line);
$first_line_seen = 1;
}
next;
} elsif ($line =~ m,^-----END PGP SIGNATURE-----$,) {
if ($last_line_seen) {
die "More than one 'END PGP' line.\n";
} elsif (! $first_line_seen) {
die "'END PGP' line precedes 'BEGIN PGP' line.\n";
} else {
push (@lines, $line);
$last_line_seen = 1;
}
next;
}
if ($line =~ m,^Signature-for: (\S+),) {
$revision = $1;
}
die "Non-signed input found before 'BEGIN PGP' line.\n"
unless $first_line_seen;
die "Non-signed input found after 'END PGP' line.\n"
if $last_line_seen;
push (@lines, $line);
}
return $revision, @lines;
}
sub find_keyring {
my ($revision) = @_;
return unless defined ($revision);
my $keyring_dir = "$ENV{HOME}/.arch-params/signing/=keyrings";
return unless ($revision =~ m,^([^\@/address@hidden/]+)/,);
my $archive = $1;
my $keyring = "$keyring_dir/$archive";
return unless (-r $keyring && -s $keyring);
return $keyring;
}
my ($revision, @lines) = parse_checksum ();
my $keyring = find_keyring ($revision);
if (defined ($keyring)) {
# gpgv doesn't support --no-default-keyring.
$gpg_command .= " --no-default-keyring --keyring=$keyring";
print "* Verifying $revision using GPG keyring: $keyring\n"
if $verbose;
} else {
print "* Verifying $revision using default GPG keyring.\n"
if $verbose;
}
open (GPG, "|$gpg_command -") || die "open (|$gpg_command)";
foreach my $line (@lines) {
print GPG $line;
}
close (GPG) || die "Signature checking failed, status $?.\n";
exit 0;
This means that I can run "GPG_VERBOSE=foo tla whatever" if I want to
see the chatter produced by gpg.
The tla-gpg-check script autodetects which keyring to use from the
contents of the signature file; all archive-specific keyrings live
under ~/.arch-params/signing/=keyrings/ in files that have the same
name as the archive they should work for. If no archive-specific
keyring can be found, the default gpg keyring will be used.
--
Harald
- Re: [Gnu-arch-users] signing rules, (continued)