commit: 673342471b1a8b2cb9ee9688ec43d1889b0e7811
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Feb 10 04:55:13 2026 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Feb 10 04:55:13 2026 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=67334247
sec-keys/openpgp-keys-gentoo-developers: drop versions
Signed-off-by: Sam James <sam <AT> gentoo.org>
sec-keys/openpgp-keys-gentoo-developers/Manifest | 6 -
.../openpgp-keys-gentoo-developers-20250915.ebuild | 236 ---------------------
.../openpgp-keys-gentoo-developers-20251027.ebuild | 236 ---------------------
.../openpgp-keys-gentoo-developers-20251103.ebuild | 236 ---------------------
.../openpgp-keys-gentoo-developers-20251229.ebuild | 236 ---------------------
.../openpgp-keys-gentoo-developers-20260105.ebuild | 236 ---------------------
...enpgp-keys-gentoo-developers-20260112-r1.ebuild | 236 ---------------------
.../openpgp-keys-gentoo-developers-20260112.ebuild | 236 ---------------------
8 files changed, 1658 deletions(-)
diff --git a/sec-keys/openpgp-keys-gentoo-developers/Manifest
b/sec-keys/openpgp-keys-gentoo-developers/Manifest
index 04c43430ff38..32a0a1979f49 100644
--- a/sec-keys/openpgp-keys-gentoo-developers/Manifest
+++ b/sec-keys/openpgp-keys-gentoo-developers/Manifest
@@ -1,7 +1 @@
-DIST openpgp-keys-gentoo-developers-20250915-active-devs.gpg 2965660 BLAKE2B
b841a5a302dc840c45cc029a4f19465e905d5fea1d195bcd73fcfab7ad80525e87f4e4087296263c226f190543a1678d834a87a402f508b2ddc4f3c934f78dc2
SHA512
f8043722d15102bb21331d4043490352c89ebe1a9913ad127a6e4a133ec0098403e1568a57c9bf4e32e8e04532cd464baf6c27aa98cdba72233a733139c4a835
-DIST openpgp-keys-gentoo-developers-20251027-active-devs.gpg 2973197 BLAKE2B
03edcc39210382943e2859f049fe07eff89897835c084cea8f8803ac24414e73225ea333d8d5a4be033f508b110eaf06c5251c41e5e1a0de6aafc7e01b83ded0
SHA512
3c30a7a509f629966412e61d587785a985bb160a67bdbe29e980f4cffd9a569090f3f0856b90bdab37626282268d831f46133b695a7f4dd2549f71b437115178
-DIST openpgp-keys-gentoo-developers-20251103-active-devs.gpg 2981832 BLAKE2B
9627766dfa9ba8401a530aed70dd965136b6933ef4f6c44d3b8af39a2a700df0989a20f7a193472cd95bb8655f36224f183124ea7b06d347e7b60ac25b76b1e7
SHA512
e77a3be5246ff6e0bf05fd2345f2077c1d35692cfe310e8cdf2e88fa47bac896406eb315761fc0e09eede28ac3f7d353368beef484e019e75962f7086364db28
-DIST openpgp-keys-gentoo-developers-20251229-active-devs.gpg 3039660 BLAKE2B
446de55efa6a75fa1113cc3b96413b345f0a967c275cdf65b026f65890d5f8f14c6e609f5bc73a013569caefeb81aea2eef129bf61cb06893052a8ae47f2861c
SHA512
e1a29bcd4d0c03c34b8c359e675db67dd0ed78ccafa0af81f5ada81e09a8ae12ae09dff7e13ddc577389f1c383309ed1839e87e7d3709825e58c68c8ea3b5892
-DIST openpgp-keys-gentoo-developers-20260105-active-devs.gpg 3041765 BLAKE2B
3822ec3ae91431c297fdf3fb3ff25d8f6948ded7d21cf673ace386542f05dc0d36a5f4edabfd32947a67c306391b44a7539619f743f26f2ad65b296306d72ea5
SHA512
3f69e80f292316c2ab39176bbf6aa07b06bfde41f6fec30e98694af0304e827b38dec00f399551f24275660494df693b5dfcde24cce4be5e018cc3d7d0f7c556
-DIST openpgp-keys-gentoo-developers-20260112-active-devs.gpg 3041621 BLAKE2B
ace33b3aded26b3e49e87fa0290231f454a9e7493a65336a5e3afa185e39b39c48ca44ab55772fa9a44100be9c132e17747da59b774d50ac21d6d0bbd1b621cb
SHA512
8b3f51904710d178d9675ff58063e51bfc931086c1ae08553408a13d8694464c13000f5878a93abedc35cc9ae95b860778087759ad0004626fa1e930f798e413
DIST openpgp-keys-gentoo-developers-20260202-active-devs.gpg 3118901 BLAKE2B
8dc43d8ad7b6082305a99958432f73dfab73a4691b96dc45c0cace66db682e35e4c35058babcb38e98ea7151c9ac4763d0c5367a605b628300b24d4286f25d8c
SHA512
7aaff1aaff65d674b53ed1381c97b0394841cf7e9b2596a10c84804fbb9a50503b84fcd94f2f653d9832635f194266e5e90e9ae4f285026772252147f576ee5e
diff --git
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20250915.ebuild
b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20250915.ebuild
deleted file mode 100644
index d32f6a8db148..000000000000
---
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20250915.ebuild
+++ /dev/null
@@ -1,236 +0,0 @@
-# Copyright 1999-2025 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{11..14} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/";
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
-
SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg ->
${P}-active-devs.gpg"
- KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64
~riscv ~sparc x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- app-crypt/gnupg[nls]
- >=sec-keys/openpgp-keys-gentoo-auth-20240703
- test? (
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o
${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import
"$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor >
"${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- #
https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: [email protected]
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into
a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection
below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <[email protected]>" --sign
"${T}"/tests/signme || die
-
- # keyring-mangler will fail with no valid keys so import the sanitised
list from src_compile.
- edo gpg "${mygpgargs[@]}" --import
"${WORKDIR}"/gentoo-developers-sanitised.asc
-
- edo gpg "${mygpgargs[@]}" --export --armor >
"${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee
"${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log
|| die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring
"${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ;
then
- die "'gpg --verify' using injected test key succeeded! This
shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee
"${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-,
0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-,
0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po
"[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po
"[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po
"[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po
"[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated},
${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should
have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first
(https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry
The Cow <[email protected]>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes
--delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow
<[email protected]>"
- check_trust_levels "return 0" || die "Trustdb failed when it should
have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like
sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20251027.ebuild
b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20251027.ebuild
deleted file mode 100644
index d32f6a8db148..000000000000
---
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20251027.ebuild
+++ /dev/null
@@ -1,236 +0,0 @@
-# Copyright 1999-2025 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{11..14} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/";
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
-
SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg ->
${P}-active-devs.gpg"
- KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64
~riscv ~sparc x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- app-crypt/gnupg[nls]
- >=sec-keys/openpgp-keys-gentoo-auth-20240703
- test? (
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o
${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import
"$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor >
"${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- #
https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: [email protected]
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into
a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection
below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <[email protected]>" --sign
"${T}"/tests/signme || die
-
- # keyring-mangler will fail with no valid keys so import the sanitised
list from src_compile.
- edo gpg "${mygpgargs[@]}" --import
"${WORKDIR}"/gentoo-developers-sanitised.asc
-
- edo gpg "${mygpgargs[@]}" --export --armor >
"${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee
"${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log
|| die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring
"${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ;
then
- die "'gpg --verify' using injected test key succeeded! This
shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee
"${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-,
0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-,
0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po
"[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po
"[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po
"[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po
"[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated},
${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should
have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first
(https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry
The Cow <[email protected]>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes
--delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow
<[email protected]>"
- check_trust_levels "return 0" || die "Trustdb failed when it should
have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like
sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20251103.ebuild
b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20251103.ebuild
deleted file mode 100644
index d32f6a8db148..000000000000
---
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20251103.ebuild
+++ /dev/null
@@ -1,236 +0,0 @@
-# Copyright 1999-2025 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{11..14} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/";
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
-
SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg ->
${P}-active-devs.gpg"
- KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64
~riscv ~sparc x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- app-crypt/gnupg[nls]
- >=sec-keys/openpgp-keys-gentoo-auth-20240703
- test? (
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o
${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import
"$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor >
"${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- #
https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: [email protected]
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into
a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection
below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <[email protected]>" --sign
"${T}"/tests/signme || die
-
- # keyring-mangler will fail with no valid keys so import the sanitised
list from src_compile.
- edo gpg "${mygpgargs[@]}" --import
"${WORKDIR}"/gentoo-developers-sanitised.asc
-
- edo gpg "${mygpgargs[@]}" --export --armor >
"${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee
"${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log
|| die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring
"${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ;
then
- die "'gpg --verify' using injected test key succeeded! This
shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee
"${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-,
0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-,
0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po
"[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po
"[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po
"[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po
"[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated},
${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should
have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first
(https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry
The Cow <[email protected]>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes
--delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow
<[email protected]>"
- check_trust_levels "return 0" || die "Trustdb failed when it should
have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like
sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20251229.ebuild
b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20251229.ebuild
deleted file mode 100644
index 7fe3b766150d..000000000000
---
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20251229.ebuild
+++ /dev/null
@@ -1,236 +0,0 @@
-# Copyright 1999-2026 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{11..14} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/";
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
-
SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg ->
${P}-active-devs.gpg"
- KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64
~riscv ~sparc x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- app-crypt/gnupg[nls]
- >=sec-keys/openpgp-keys-gentoo-auth-20240703
- test? (
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o
${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import
"$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor >
"${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- #
https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: [email protected]
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into
a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection
below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <[email protected]>" --sign
"${T}"/tests/signme || die
-
- # keyring-mangler will fail with no valid keys so import the sanitised
list from src_compile.
- edo gpg "${mygpgargs[@]}" --import
"${WORKDIR}"/gentoo-developers-sanitised.asc
-
- edo gpg "${mygpgargs[@]}" --export --armor >
"${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee
"${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log
|| die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring
"${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ;
then
- die "'gpg --verify' using injected test key succeeded! This
shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee
"${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-,
0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-,
0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po
"[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po
"[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po
"[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po
"[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated},
${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should
have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first
(https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry
The Cow <[email protected]>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes
--delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow
<[email protected]>"
- check_trust_levels "return 0" || die "Trustdb failed when it should
have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like
sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20260105.ebuild
b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20260105.ebuild
deleted file mode 100644
index 7fe3b766150d..000000000000
---
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20260105.ebuild
+++ /dev/null
@@ -1,236 +0,0 @@
-# Copyright 1999-2026 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{11..14} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/";
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
-
SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg ->
${P}-active-devs.gpg"
- KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64
~riscv ~sparc x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- app-crypt/gnupg[nls]
- >=sec-keys/openpgp-keys-gentoo-auth-20240703
- test? (
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o
${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import
"$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor >
"${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- #
https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: [email protected]
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into
a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection
below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <[email protected]>" --sign
"${T}"/tests/signme || die
-
- # keyring-mangler will fail with no valid keys so import the sanitised
list from src_compile.
- edo gpg "${mygpgargs[@]}" --import
"${WORKDIR}"/gentoo-developers-sanitised.asc
-
- edo gpg "${mygpgargs[@]}" --export --armor >
"${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee
"${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log
|| die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring
"${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ;
then
- die "'gpg --verify' using injected test key succeeded! This
shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee
"${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-,
0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-,
0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po
"[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po
"[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po
"[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po
"[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated},
${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should
have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first
(https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry
The Cow <[email protected]>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes
--delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow
<[email protected]>"
- check_trust_levels "return 0" || die "Trustdb failed when it should
have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like
sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20260112-r1.ebuild
b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20260112-r1.ebuild
deleted file mode 100644
index 8e21e3c693f3..000000000000
---
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20260112-r1.ebuild
+++ /dev/null
@@ -1,236 +0,0 @@
-# Copyright 1999-2026 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{11..14} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/";
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
-
SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg ->
${P}-active-devs.gpg"
- KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64
~riscv ~sparc x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- || ( app-crypt/gnupg[nls] app-crypt/freepg[nls] )
- >=sec-keys/openpgp-keys-gentoo-auth-20240703
- test? (
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o
${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import
"$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor >
"${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- #
https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: [email protected]
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into
a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection
below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <[email protected]>" --sign
"${T}"/tests/signme || die
-
- # keyring-mangler will fail with no valid keys so import the sanitised
list from src_compile.
- edo gpg "${mygpgargs[@]}" --import
"${WORKDIR}"/gentoo-developers-sanitised.asc
-
- edo gpg "${mygpgargs[@]}" --export --armor >
"${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee
"${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log
|| die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring
"${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ;
then
- die "'gpg --verify' using injected test key succeeded! This
shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee
"${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-,
0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-,
0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po
"[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po
"[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po
"[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po
"[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated},
${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should
have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first
(https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry
The Cow <[email protected]>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes
--delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow
<[email protected]>"
- check_trust_levels "return 0" || die "Trustdb failed when it should
have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like
sec-keys/openpgp-keys-gentoo-auth?
-}
diff --git
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20260112.ebuild
b/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20260112.ebuild
deleted file mode 100644
index 7fe3b766150d..000000000000
---
a/sec-keys/openpgp-keys-gentoo-developers/openpgp-keys-gentoo-developers-20260112.ebuild
+++ /dev/null
@@ -1,236 +0,0 @@
-# Copyright 1999-2026 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-PYTHON_COMPAT=( python3_{11..14} )
-inherit edo python-any-r1
-
-DESCRIPTION="Gentoo Authority Keys (GLEP 79)"
-HOMEPAGE="https://www.gentoo.org/downloads/signatures/";
-if [[ ${PV} == 9999* ]] ; then
- PROPERTIES="live"
-
- BDEPEND="net-misc/curl"
-else
-
SRC_URI="https://qa-reports.gentoo.org/output/keys/active-devs-${PV}.gpg ->
${P}-active-devs.gpg"
- KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64
~riscv ~sparc x86"
-fi
-
-S="${WORKDIR}"
-
-LICENSE="public-domain"
-SLOT="0"
-IUSE="test"
-RESTRICT="!test? ( test )"
-
-BDEPEND+="
- $(python_gen_any_dep 'dev-python/python-gnupg[${PYTHON_USEDEP}]')
- app-crypt/gnupg[nls]
- >=sec-keys/openpgp-keys-gentoo-auth-20240703
- test? (
- sys-apps/grep[pcre]
- )
-"
-
-python_check_deps() {
- python_has_version "dev-python/python-gnupg[${PYTHON_USEDEP}]"
-}
-
-src_unpack() {
- if [[ ${PV} == 9999* ]] ; then
- curl https://qa-reports.gentoo.org/output/active-devs.gpg -o
${P}-active-devs.gpg || die
- else
- default
- fi
-}
-
-src_compile() {
- export GNUPGHOME="${T}"/.gnupg
-
- get_gpg_keyring_dir() {
- if [[ ${PV} == 9999* ]] ; then
- echo "${WORKDIR}"
- else
- echo "${DISTDIR}"
- fi
- }
-
- local mygpgargs=(
- --no-autostart
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- mkdir "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
-
- # Convert the binary keyring into an armored one so we can process it
- edo gpg "${mygpgargs[@]}" --import
"$(get_gpg_keyring_dir)"/${P}-active-devs.gpg
- edo gpg "${mygpgargs[@]}" --export --armor >
"${WORKDIR}"/gentoo-developers.asc
-
- # Now strip out the keys which are expired and/or missing a signature
- # from our L2 developer authority key
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${WORKDIR}"/gentoo-developers.asc \
- "${WORKDIR}"/gentoo-developers-sanitised.asc
-}
-
-src_test() {
- export GNUPGHOME="${T}"/tests/.gnupg
-
- local mygpgargs=(
- # We don't have --no-autostart here because we need
- # to let it spawn an agent for the key generation.
- --no-default-keyring
- --homedir "${GNUPGHOME}"
- )
-
- # From verify-sig.eclass:
- # "GPG upstream knows better than to follow the spec, so we can't
- # override this directory. However, there is a clean fallback
- # to GNUPGHOME."
- addpredict /run/user
-
- # Check each of the keys to verify they're trusted by
- # the L2 developer key.
- mkdir -p "${GNUPGHOME}" || die
- chmod 700 "${GNUPGHOME}" || die
- cd "${T}"/tests || die
-
- # First, grab the L1 key, and mark it as ultimately trusted.
- edo gpg "${mygpgargs[@]}" --import
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc
- edo gpg "${mygpgargs[@]}" --import-ownertrust
"${BROOT}"/usr/share/openpgp-keys/gentoo-auth-ownertrust.txt
-
- # Generate a temporary key which isn't signed by anything to check
- # whether we're detecting unexpected keys.
- #
- # The test is whether this appears in the sanitised keyring we
- # produce in src_compile (it should not be in there).
- #
- #
https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html
- edo gpg "${mygpgargs[@]}" --batch --gen-key <<-EOF
- %echo Generating temporary key for testing...
-
- %no-protection
- %transient-key
- %pubring ${P}-ebuild-test-key.asc
-
- Key-Type: 1
- Key-Length: 2048
- Subkey-Type: 1
- Subkey-Length: 2048
- Name-Real: Larry The Cow
- Name-Email: [email protected]
- Expire-Date: 0
- Handle: ${P}-ebuild-test-key
-
- %commit
- %echo Temporary key generated!
- EOF
-
- # Import the new injected key that shouldn't be signed by anything into
a temporary testing keyring
- edo gpg "${mygpgargs[@]}" --import "${T}"/tests/${P}-ebuild-test-key.asc
-
- # Sign a tiny file with the to-be-injected key for testing rejection
below
- echo "Hello world!" > "${T}"/tests/signme || die
- edo gpg "${mygpgargs[@]}" -u "Larry The Cow <[email protected]>" --sign
"${T}"/tests/signme || die
-
- # keyring-mangler will fail with no valid keys so import the sanitised
list from src_compile.
- edo gpg "${mygpgargs[@]}" --import
"${WORKDIR}"/gentoo-developers-sanitised.asc
-
- edo gpg "${mygpgargs[@]}" --export --armor >
"${T}"/tests/tainted-keyring.asc
-
- # keyring-mangler.py should now produce a keyring *without* it
- edo "${EPYTHON}" "${FILESDIR}"/keyring-mangler.py \
- "${BROOT}"/usr/share/openpgp-keys/gentoo-auth.asc \
- "${T}"/tests/tainted-keyring.asc \
- "${T}"/tests/gentoo-developers-sanitised.asc | tee
"${T}"/tests/keyring-mangler.log
- assert "Key mangling in tests failed?"
-
- # Check the log to verify the injected key got detected
- grep -q "Dropping key.*Larry The Cow" "${T}"/tests/keyring-mangler.log
|| die "Did not remove injected key from test keyring!"
-
- # gnupg doesn't have an easy way for us to actually just.. ask
- # if a key is known via WoT. So, sign a file using the key
- # we just made, and then try to gpg --verify it, and check exit code.
- #
- # Let's now double check by seeing if a file signed by the injected key
- # is rejected.
- if gpg "${mygpgargs[@]}" --keyring
"${T}"/tests/gentoo-developers-sanitised.asc --verify "${T}"/tests/signme.gpg ;
then
- die "'gpg --verify' using injected test key succeeded! This
shouldn't happen!"
- fi
-
- # Bonus lame sanity check
- edo gpg "${mygpgargs[@]}" --check-trustdb 2>&1 | tee
"${T}"/tests/trustdb.log
- assert "trustdb call failed!"
-
- check_trust_levels() {
- local mode=${1}
-
- while IFS= read -r line; do
- # gpg: depth: 0 valid: 1 signed: 2 trust: 0-,
0q, 0n, 0m, 0f, 1u
- # gpg: depth: 1 valid: 2 signed: 0 trust: 0-,
0q, 0n, 0m, 2f, 0u
- if [[ ${line} == *depth* ]] ; then
- depth=$(echo ${line} | grep -Po "depth: [0-9]")
- trust=$(echo ${line} | grep -Po "trust:.*")
-
- trust_uncalculated=$(echo ${trust} | grep -Po
"[0-9]-")
- [[ ${trust_uncalculated} == 0 ]] || ${mode}
-
- trust_insufficient=$(echo ${trust} | grep -Po
"[0-9]q")
- [[ ${trust_insufficient} == 0 ]] || ${mode}
-
- trust_never=$(echo ${trust} | grep -Po "[0-9]n")
- [[ ${trust_never} == 0 ]] || ${mode}
-
- trust_marginal=$(echo ${trust} | grep -Po
"[0-9]m")
- [[ ${trust_marginal} == 0 ]] || ${mode}
-
- trust_full=$(echo ${trust} | grep -Po "[0-9]f")
- [[ ${trust_full} != 0 ]] || ${mode}
-
- trust_ultimate=$(echo ${trust} | grep -Po
"[0-9]u")
- [[ ${trust_ultimate} == 1 ]] || ${mode}
-
- echo "${trust_uncalculated},
${trust_insufficient}"
- fi
- done < "${T}"/tests/trustdb.log
- }
-
- # First, check with the bad key still in the test keyring.
- # This is supposed to fail, so we want it to return 1
- check_trust_levels "return 1" && die "Trustdb passed when it should
have failed!"
-
- # Now check without the bad key in the test keyring.
- # This one should pass.
- #
- # Drop the bad key first
(https://superuser.com/questions/174583/how-to-delete-gpg-secret-keys-by-force-without-fingerprint)
- keys=$(gpg "${mygpgargs[@]}" --fingerprint --with-colons --batch "Larry
The Cow <[email protected]>" \
- | grep "^fpr" \
- | sed -n 's/^fpr:::::::::\([[:alnum:]]\+\):/\1/p')
-
- local key
- for key in ${keys[@]} ; do
- nonfatal edo gpg "${mygpgargs[@]}" --batch --yes
--delete-secret-keys ${key}
- done
-
- edo gpg "${mygpgargs[@]}" --batch --yes --delete-keys "Larry The Cow
<[email protected]>"
- check_trust_levels "return 0" || die "Trustdb failed when it should
have passed!"
-
- gpgconf --kill gpg-agent || die
-}
-
-src_install() {
- insinto /usr/share/openpgp-keys
- newins gentoo-developers-sanitised.asc gentoo-developers.asc
-
- # TODO: install an ownertrust file like
sec-keys/openpgp-keys-gentoo-auth?
-}
