genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez)
I changed the wrapper to call gpgv instead of gpg. It is much easier and cleaner to use local configuration this way, and it won't produce a warning that the key isn't trusted. I also removed used of an environment variable, as we (currently) only pass one keyring filename here.
This commit is contained in:
parent
9e92fc9bab
commit
f5af248fc0
|
@ -69,6 +69,15 @@ class Main(object):
|
|||
def upstream_export(self, input_repo):
|
||||
self.log("Exporting %s from %s\n" % (self.tag, input_repo))
|
||||
|
||||
gpg_wrapper = os.path.join(os.getcwd(),
|
||||
"debian/bin/git-tag-gpg-wrapper")
|
||||
verify_proc = subprocess.Popen(['git',
|
||||
'-c', 'gpg.program=%s' % gpg_wrapper,
|
||||
'tag', '-v', self.tag],
|
||||
cwd=input_repo)
|
||||
if verify_proc.wait():
|
||||
raise RuntimeError("GPG tag verification failed")
|
||||
|
||||
archive_proc = subprocess.Popen(['git', 'archive', '--format=tar',
|
||||
'--prefix=%s/' % self.orig, self.tag],
|
||||
cwd=input_repo,
|
||||
|
|
|
@ -0,0 +1,33 @@
|
|||
#!/bin/bash -e
|
||||
|
||||
# Instead of calling gpg, call gpgv and provide a local keyring
|
||||
|
||||
debian_dir="$(readlink -f "$(dirname "$0")/..")"
|
||||
|
||||
# Parse the expected options. If the next two lines are combined, a
|
||||
# failure of getopt won't cause the script to exit.
|
||||
ordered_args="$(getopt -n "$0" -o "" -l "status-fd:" -l "keyid-format:" -l "verify" -- "$@")"
|
||||
eval "set -- $ordered_args"
|
||||
gpgv_opts=()
|
||||
while true; do
|
||||
case "$1" in
|
||||
--status-fd)
|
||||
gpgv_opts+=(--status-fd $2)
|
||||
shift 2
|
||||
;;
|
||||
--keyid-format)
|
||||
# ignore
|
||||
shift 2
|
||||
;;
|
||||
--verify)
|
||||
# ignore
|
||||
shift 1
|
||||
;;
|
||||
--)
|
||||
shift 1
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@"
|
|
@ -20,6 +20,7 @@ linux (4.9-1~exp1) UNRELEASED; urgency=medium
|
|||
* Use debhelper compatibility level 9
|
||||
* [arm64] Revert "arm64/mm: Limit TASK_SIZE_64 ..." and add breaks on
|
||||
incompatible mozjs
|
||||
* genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez)
|
||||
|
||||
[ Uwe Kleine-König ]
|
||||
* enable `perf data' support; patch by Sebastian Andrzej Siewior
|
||||
|
|
Binary file not shown.
Loading…
Reference in New Issue