From f5af248fc00dcb4e0d275b589268b564a6a5ef2d Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sat, 7 Jan 2017 02:57:59 +0000 Subject: [PATCH] genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez) I changed the wrapper to call gpgv instead of gpg. It is much easier and cleaner to use local configuration this way, and it won't produce a warning that the key isn't trusted. I also removed used of an environment variable, as we (currently) only pass one keyring filename here. --- debian/bin/genorig.py | 9 +++++++++ debian/bin/git-tag-gpg-wrapper | 33 ++++++++++++++++++++++++++++++++ debian/changelog | 1 + debian/upstream/signing-key.pgp | Bin 0 -> 6867 bytes 4 files changed, 43 insertions(+) create mode 100755 debian/bin/git-tag-gpg-wrapper create mode 100644 debian/upstream/signing-key.pgp diff --git a/debian/bin/genorig.py b/debian/bin/genorig.py index c3a4eea26..59f31a8c0 100755 --- a/debian/bin/genorig.py +++ b/debian/bin/genorig.py @@ -69,6 +69,15 @@ class Main(object): def upstream_export(self, input_repo): self.log("Exporting %s from %s\n" % (self.tag, input_repo)) + gpg_wrapper = os.path.join(os.getcwd(), + "debian/bin/git-tag-gpg-wrapper") + verify_proc = subprocess.Popen(['git', + '-c', 'gpg.program=%s' % gpg_wrapper, + 'tag', '-v', self.tag], + cwd=input_repo) + if verify_proc.wait(): + raise RuntimeError("GPG tag verification failed") + archive_proc = subprocess.Popen(['git', 'archive', '--format=tar', '--prefix=%s/' % self.orig, self.tag], cwd=input_repo, diff --git a/debian/bin/git-tag-gpg-wrapper b/debian/bin/git-tag-gpg-wrapper new file mode 100755 index 000000000..58e1750ee --- /dev/null +++ b/debian/bin/git-tag-gpg-wrapper @@ -0,0 +1,33 @@ +#!/bin/bash -e + +# Instead of calling gpg, call gpgv and provide a local keyring + +debian_dir="$(readlink -f "$(dirname "$0")/..")" + +# Parse the expected options. If the next two lines are combined, a +# failure of getopt won't cause the script to exit. +ordered_args="$(getopt -n "$0" -o "" -l "status-fd:" -l "keyid-format:" -l "verify" -- "$@")" +eval "set -- $ordered_args" +gpgv_opts=() +while true; do + case "$1" in + --status-fd) + gpgv_opts+=(--status-fd $2) + shift 2 + ;; + --keyid-format) + # ignore + shift 2 + ;; + --verify) + # ignore + shift 1 + ;; + --) + shift 1 + break + ;; + esac +done + +exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@" diff --git a/debian/changelog b/debian/changelog index ec4575ea0..a2cffde39 100644 --- a/debian/changelog +++ b/debian/changelog @@ -20,6 +20,7 @@ linux (4.9-1~exp1) UNRELEASED; urgency=medium * Use debhelper compatibility level 9 * [arm64] Revert "arm64/mm: Limit TASK_SIZE_64 ..." and add breaks on incompatible mozjs + * genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez) [ Uwe Kleine-König ] * enable `perf data' support; patch by Sebastian Andrzej Siewior diff --git a/debian/upstream/signing-key.pgp b/debian/upstream/signing-key.pgp new file mode 100644 index 0000000000000000000000000000000000000000..f8324867b794d8346ca8741614e3a892c59da242 GIT binary patch literal 6867 zcma)=RZtwYB+q91TMJUkZ)-5 zsCh9nI&j0iM!DsCoczX8{Y8tETq-p(%C=rO3I3ck@2ixp=FeRKPxA$5yIl_`ZnTo& z!t)}dIkvZo1r~rcsm%!U$=7bpo$xyq+|tO~XB0D&%uWuzlIpkRJ^`1_&g}r`w`S4X z-aZ!;YcShxkmrjRxVIHXaGBcRxxa2U;krqbS3#t}52q@$%vkTaG!-eP)XEYrw)>2m zD{-^w!bL_rAN9MvV1o%y3LM(@q!Z_gycb0_eLE(Z3FS{V+F;G+g5`^g1iuKLb0+DK z)t)XKqA^itB#<%Pu-0Au!o=1d3SX_^Q3y_!)cGQ!jiHaD=@C+xiddF~wUL#9*J}NB zJ88NBgRnN#(}p%ZM zxjNN+V@wkOFAmomlt8U|0fP+-1KUU@1_G1IxVf5HS%WQI$mu1N#XgdA@Bx7=>>Ml{ z91P)bya+h3C@_?WaB{i@>TtyHNa(02$nbDTcxb37=maIi3Nq_A)VfiP&OSo>YW z$H}4Cs3PH5Fk=Z+hYvdMdYLdo)n7O@cLLnE-o)O?dMpLcJX~e(CS&|!%8Bp8849C{ zdJ(H(-vpH4x~p@dCkYVM*CsrD zIe~;Zltr1hdq?$KS^z^tCmrj0b}{%RC$J1xEi!Q|;a&1d(N>=&S`aZbrZ9&x>7ZM& zr@S!(sTY~cLzkk=&LOjya_lh&r{f}GI5jfK`DK?T)MuXGn}UptjFn{X+3p+dpD za9N&AGrD7bpD^=$Xk$t@+L;GbgnRL=IS?jbe`vMOUj1>{kWmshkgk30)E+rW+w{SE z1Y}kTW)jgkv_s~fGYl0;-R#}vD?TTpT5OaRACyu>KiODi zavx8eJa17lfkMMRP=hMt6~nd?KjkR;Q@?fIXj^IlP08(<7qcQcobffY0&$X}Xw7Nu z!p?REV@k2bdE43B-i+YusFn*tGrkiNeZ!+5W!&2S-Ep5IBn}R`){y#>#G|_sB*YMP zK+L6uL!wUH@){vOCLacj<_)|f=Nk6w{uN2UP2aobSqMa@0GJBw$l|Q>_}GyqK068s zmoTkK2h~F~og79%`;NjpGkQMxL}WI}!9>kN@xe%Oi?0MY69&sER3sFd;qTCWoc)f} zE&-$F)&$2q>ULIWvFX2*L>rtLqQkxzoUt4*f;!u}73unYR6DB0ha)M$KXK>mHJcuB zk01@u>eLCuu@_I+C0-d}-c7>wAa(d$*SVHMv*xxc{O}^b);;JnJV-M>t0zBf{(2r^ zqg65{?Ce4!EYK@^4A$Cm{yqf=fR048#bn?db!gwk;4zZG@izXbc#f-#V4u&W4Z`tq zsBM_#q+1Z?aICjmhn`7!*P!lAw)tx|W|^>cL4pgh$A=k%Npml+-|4o;yzP)6G}f9}ApKTf+?z$tgK~+b+KkCatw;3E6pDz%WWLIi=sq&E`;(X{mcOApL75rD)N1Z_Q}WJ4QEo#m zUHx1*sL=5GE>cDnOr!tc3-BtCFI-$Pxjku2dRV1WabrVwR& zTkzJf*-d_C^YCMmJS0W)MeED6bL!Kem0Qpv?9(DnCcS<9#30r&&CG%x3y)0)W998^ zy5|~*dGz*MvC4250w}zv14WQ6Aq&I)13s@XN>av#R>tlI7_TyNM)rNH6Kxh}WaA?{ zNQgsU-exP(2++9I7{C}555F?0=R6dFla`6NA+99zL58WEBSV!QT*fPfsGV>x>QT*V;X~D>$WvztIZ9`FRwUTqw<6%75wRDgI zPE3zimQhucNrwm><3%5*StaYPg9M>vtRR z*gE3PBOT6dD4oKD&UypuFi1@JMpTHvtBI?A|rOT zVe^e$3=&xgO1x=m7REdsj6A!RA7Fe-w@jQUY${8dt{D2sT`WT#5M3LFOhPx_A;EjmWf_&zhcK&TB_$m_!Nwq^pCoQ9Nd^er za8qJFHB%2~tOekb+vdFz_?4|3-$b~!DQARByv7Js8A+&n+eF-=6!mueG(&*93SrBv zz=6`wSai$PYNPdr?#vqio)QP8qIF_VBQ<9gB!iYs(D8%W&|{m~iESV!SR#2ViF~qL zzk)|}Y=Gjm=-A6!)% zC_Ry>12Tb&_Noc#(?Ry&y09F(t3N|#cDrtDZV%~>RHTdqJSE%}twf?7snzoQq)o3o z&QbWSk!v^7_nlyO{T)u$a7+zgp0erG8;6a+(Y6|SL;23gROP0jM*X~Rtj^0H@iMzY zL{5`cu1>!SPTKtjEKM@>*_Uw$Vk-5YgeQf=CPI#B`(BEhgZdlI zw`DDR(#cH0_=r6DvrerQPy2t7(HjvE}mtPO^k`a&Q~CK$>?bqnj! zWHY#I1%H+JZv>KGyVnfX?DBa?=X)egt`{VlU$=kd)i=Dql%*13f zKcsK+dOa?Mi=0EngYV3>+O?l{Lh-lZ&rZK4-_%X}4)$xq_V#Qzy~9AdyQ68$yk`X~ z4`#txj@+A@@+Ie}cMAcJD?E|5UJVi6k9gE{iMskdmT6MjXb7X+D)h+U||nKrM~!bVI>UZ0Z!J%QfH^8LxB7PxG5R z)(A_wla*#GQpB)*C*A3P5<|(iY3@&AEbdV==XFy5Hu&he;@|pQOxBATX^63Jbi(U{ zKbNR~9zi_~k$(6k&?g23uFnQ8+I2Wd#059gaxN!V;40D3Q|u?!V?DR*7vTcDY-cl> zDL_cI)5^$Oo>g@=`Ue@oH;d~o&4SwY)AL^oRX>!WaqO`L!j}Hd71%U2-%1>&t`41n zW%t>bAucVJq#SPnWDu;T->Ect{^FL8fq0lU@5V^g!Ft(XP@X!ydtA}fz_-3_gFO$a z!D=axqvh(?+&WUo?GBeaA~WzCvl~k99c_0nTaF96i^3E|4H+<4a$Yli&8)eln3enE{KlKw!{;2aAqP?!~L!o<LCyEx>nXDiLJkR5I zPL=o5tz0jCG0xl{(+|OTX8$xRMQLY{CAqw_gNYT3jES?Wy$P6{Ucnmd=1Fb~at4F! z$X#4bOzlAA&LBIGi3^C_#o7}5r-c2v^A8{#P;uNRx=0tf4dCa-yZgtvj21$ z6gX5g^glfe9`=8F81G8QuyKO5kdZzX%#fLpVuy@nuA#QeXmg>|bS0L1&BOBNa;`Fm zl-!YV>G~XC_$eJX`H?Ux*V)Rkm5|s^$3-P!p;K>%JL{S~$RrnxoR?aUH|wp{lkayr z0-;Aya=q7?(d#Vr0!uE%wGO&q>)%FW>jR*u=<8O%(HB*u=b{AlaaU-134 zQUMB>c(f`oUp`QV(w#^`wYcWpN|OZ#=l7LzQge>VQvn$t4Sjcb0PAD}M(cf~(*qY5 z;ct$9=FLuhvfVG9B40Jg?796U8E-vljgV_SZcG(iAO{dB+wLYS%)77I2p!kUUZLDx_Yh5t4YSdryvBnU!@d7iSIEMatsgq$9Q z9jJ^+CVWqiS&7n@)YCMpPv!U`sOUyIjk`R0Ztda`uXfaq(?cb?%DhA868$0`ex6i^ zEAIvZ@>nFX#?(10&F|D%x0tcE#J4*R5Mdt?5)q?2P0^Xh8}~Y5HowpMhQ`N-t3eG% zgpeo?e(^W@;rd;X2OK%y41jQ!Tj9_Flcsi1-=bzdm%8Xl8b|qvAQsqeO9-q^fWJu@ z05qpTowEQfYS^i3egX#>&A%@5?_{c{r0CiYw`>29pNjwqSQODJ`u_P&3(rdesmMwj z(`NSbp`cm@2ZHe8o+Te&ft^Oj#t1D|@|+}J(WB4_>g>9texQB=x}LH}-aSXiwJ8}L zYkIL&55r5u=EJ!%f;IEIati{O*DkaPY-um-ZSAiJn#qd!#G0ketV&vIDWVU=794@} zrTxfvF~EC`be?^&XYhSo+VsxO!#>c!^(!@~B0geAO3#{{{FH5If~ zWk6}?UN$)*kvW`)Va2;u)dq{cMUD`K>znk_{eeU4&@@_A>OKTn+mz^u_t`3JTYB}F zMrL!bYS`FB5U4mha_zMq_X53es<_fzwnq( zrlEZ*6%D)eIlB>kzas(StzX@pQ3HTkDAl+ZVWP=u>f~6NJ-IBA=XfdBqE(AjkdFn9 zCafjtJI(#p4Le(Pe#+%3*PTRdWQM(Jnkk-^N9ZSi0+cBO$otq)IvCxG2%A)HWvmA3 z0Z1>hmu3@(ZDC)AJK;oJd0iC$Y!@-VQ|yxyjlsVfGO=q zAvXWs+moM*RXZIaJ`x(c)>Sq76&!-g zW1a2cH2eB{om*E}nf3ryq~tk|^GFnh^q9V(B_ zt@C^oZK)zWK^x6DzW7X@X`9hH3=MI4q?Reh@_qR&-dmtvp^?5DX#J4XIxV3`4z+O&(v@M?Z@L#cQCsa)m`ac08;b6P#hxP#)Hy`eM;0dk4e0zxKQx692M{bMiD<>gg)lDNj!fdlSFCsZaDj?EG@+3l2Ie= zR{2!SEk5sJ>dp7Sjy;7PqrM<1KsR-e5}-C~->Y_kYegtzEF;}xED#EiMER^AAQUb5 z{ykaN)-8cHk|(56vG-f3qZWECs_@MYe?obIWhZ3;*)OFZXdI3bR7yGlRw!P zEivJ8iz!f!#*9kVj8)=!qGR%Na=67qct;9jcR68;636BVp~kJeqO;^fv0jFjtg1 zXcE6Yyyc1fHX`_lNfGTh)L90}6aqtDsLYwjNOHD|8|5Z&)EVr}aq^1gO7hhpsmjUv za|hltU51rwzwZ*AQY)7P*c=|?qep)JD5Lx7&F|T3NA$|}QMnz0h#OQpSSV98@yF1sc{?_6P1X>=TpJNH8rKP!@3XzczI*06tz=RaZn zFO>cj*8fe+Au;l+WTa{`aYl(ym8ZO9gt24`aKeqvA7bql@^$^O=I+LWRw+N2Qaj=T zT3uaD)S=o!4#eE?QB>y|=RB6tdQr9PPa=>RUaND;a+o?-J?cv|QP9@$3l@c>6lo-X zG}D}AS0HobSSS93Z#P6clV#;yI3(7MO+>hYTt}|M|5M4ZvH$t@{X4i|&*J8R>G<%< z(*sDGPSeLgKy%jq$GnaP`V=!5x