genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez)

I changed the wrapper to call gpgv instead of gpg. It is much easier and cleaner to use local configuration this way, and it won't produce a warning that the key isn't trusted. I also removed used of an environment variable, as we (currently) only pass one keyring filename here.
2017-01-07 02:57:59 +00:00 · 2017-01-07 02:57:59 +00:00 · f5af248fc0
parent 9e92fc9bab
commit f5af248fc0
4 changed files with 43 additions and 0 deletions
--- a/debian/bin/genorig.py
+++ b/debian/bin/genorig.py
@ -69,6 +69,15 @@ class Main(object):
    def upstream_export(self, input_repo):
        self.log("Exporting %s from %s\n" % (self.tag, input_repo))

+        gpg_wrapper = os.path.join(os.getcwd(),
+                                   "debian/bin/git-tag-gpg-wrapper")
+        verify_proc = subprocess.Popen(['git',
+                                        '-c', 'gpg.program=%s' % gpg_wrapper,
+                                        'tag', '-v', self.tag],
+                                        cwd=input_repo)
+        if verify_proc.wait():
+            raise RuntimeError("GPG tag verification failed")
+
        archive_proc = subprocess.Popen(['git', 'archive', '--format=tar',
                                         '--prefix=%s/' % self.orig, self.tag],
                                        cwd=input_repo,
--- a/debian/bin/git-tag-gpg-wrapper
+++ b/debian/bin/git-tag-gpg-wrapper
@ -0,0 +1,33 @@
+#!/bin/bash -e
+
+# Instead of calling gpg, call gpgv and provide a local keyring
+
+debian_dir="$(readlink -f "$(dirname "$0")/..")"
+
+# Parse the expected options.  If the next two lines are combined, a
+# failure of getopt won't cause the script to exit.
+ordered_args="$(getopt -n "$0" -o "" -l "status-fd:" -l "keyid-format:" -l "verify" -- "$@")"
+eval "set -- $ordered_args"
+gpgv_opts=()
+while true; do
+    case "$1" in
+	--status-fd)
+	    gpgv_opts+=(--status-fd $2)
+	    shift 2
+	    ;;
+	--keyid-format)
+	    # ignore
+	    shift 2
+	    ;;
+	--verify)
+	    # ignore
+	    shift 1
+	    ;;
+	--)
+	    shift 1
+	    break
+	    ;;
+    esac
+done
+
+exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@"
--- a/debian/changelog
+++ b/debian/changelog
@ -20,6 +20,7 @@ linux (4.9-1~exp1) UNRELEASED; urgency=medium
  * Use debhelper compatibility level 9
  * [arm64] Revert "arm64/mm: Limit TASK_SIZE_64 ..." and add breaks on
    incompatible mozjs
+  * genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez)

  [ Uwe Kleine-König ]
  * enable `perf data' support; patch by Sebastian Andrzej Siewior
--- a/debian/upstream/signing-key.pgp
+++ b/debian/upstream/signing-key.pgp