commit: f1e3d1c948291bb5083abd130e7c3f55c7300c54
Author: Michał Górny <mgorny <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 24 17:30:10 2025 +0000
Commit: Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Fri Oct 24 18:45:34 2025 +0000
URL: https://gitweb.gentoo.org/proj/gemato.git/commit/?id=f1e3d1c9
openpgp: Process refresh results manually
Check the exact keys used while refreshing via HKP. Sequoia does not
return errors like GnuPG does, so we need to double-check the result
ourselves.
Signed-off-by: Michał Górny <mgorny <AT> gentoo.org>
gemato/openpgp.py | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/gemato/openpgp.py b/gemato/openpgp.py
index f5ead9f..10aade6 100644
--- a/gemato/openpgp.py
+++ b/gemato/openpgp.py
@@ -659,10 +659,28 @@ debug-level guru
if keyserver is not None:
ks_args = ['--keyserver', keyserver]
+ expected_fprs = set(self.list_keys())
exitst, out, err = self._spawn_gpg(
- [GNUPG, '--batch', '--refresh-keys'] + ks_args,
+ [GNUPG, '--batch', '--refresh-keys', '--status-fd', '1'] + ks_args,
raise_on_error=OpenPGPKeyRefreshError)
+ imported_fprs = set()
+ for line in out.splitlines():
+ if line.startswith(b'[GNUPG:] IMPORT_OK'):
+ imported_fprs.add(line.split(b' ')[3].decode('ASCII'))
+
+ if imported_fprs != expected_fprs:
+ extra_keys = imported_fprs - expected_fprs
+ missing_keys = expected_fprs - imported_fprs
+ if extra_keys:
+ raise OpenPGPKeyRefreshError(
+ f"Keyserver update injected additional keys: {extra_keys}"
+ )
+ if missing_keys:
+ raise OpenPGPKeyRefreshError(
+ f"Keyserver is missing keys: {missing_keys}"
+ )
+
def refresh_keys(self, allow_wkd=True, keyserver=None):
LOGGER.debug(f'refresh_keys(allow_wkd={allow_wkd}, '
f'keyserver={keyserver}) called')
