genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez)
I changed the wrapper to call gpgv instead of gpg. It is much easier and cleaner to use local configuration this way, and it won't produce a warning that the key isn't trusted. I also removed used of an environment variable, as we (currently) only pass one keyring filename here.
This commit is contained in:
parent
9e92fc9bab
commit
f5af248fc0
|
@ -69,6 +69,15 @@ class Main(object):
|
||||||
def upstream_export(self, input_repo):
|
def upstream_export(self, input_repo):
|
||||||
self.log("Exporting %s from %s\n" % (self.tag, input_repo))
|
self.log("Exporting %s from %s\n" % (self.tag, input_repo))
|
||||||
|
|
||||||
|
gpg_wrapper = os.path.join(os.getcwd(),
|
||||||
|
"debian/bin/git-tag-gpg-wrapper")
|
||||||
|
verify_proc = subprocess.Popen(['git',
|
||||||
|
'-c', 'gpg.program=%s' % gpg_wrapper,
|
||||||
|
'tag', '-v', self.tag],
|
||||||
|
cwd=input_repo)
|
||||||
|
if verify_proc.wait():
|
||||||
|
raise RuntimeError("GPG tag verification failed")
|
||||||
|
|
||||||
archive_proc = subprocess.Popen(['git', 'archive', '--format=tar',
|
archive_proc = subprocess.Popen(['git', 'archive', '--format=tar',
|
||||||
'--prefix=%s/' % self.orig, self.tag],
|
'--prefix=%s/' % self.orig, self.tag],
|
||||||
cwd=input_repo,
|
cwd=input_repo,
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
#!/bin/bash -e
|
||||||
|
|
||||||
|
# Instead of calling gpg, call gpgv and provide a local keyring
|
||||||
|
|
||||||
|
debian_dir="$(readlink -f "$(dirname "$0")/..")"
|
||||||
|
|
||||||
|
# Parse the expected options. If the next two lines are combined, a
|
||||||
|
# failure of getopt won't cause the script to exit.
|
||||||
|
ordered_args="$(getopt -n "$0" -o "" -l "status-fd:" -l "keyid-format:" -l "verify" -- "$@")"
|
||||||
|
eval "set -- $ordered_args"
|
||||||
|
gpgv_opts=()
|
||||||
|
while true; do
|
||||||
|
case "$1" in
|
||||||
|
--status-fd)
|
||||||
|
gpgv_opts+=(--status-fd $2)
|
||||||
|
shift 2
|
||||||
|
;;
|
||||||
|
--keyid-format)
|
||||||
|
# ignore
|
||||||
|
shift 2
|
||||||
|
;;
|
||||||
|
--verify)
|
||||||
|
# ignore
|
||||||
|
shift 1
|
||||||
|
;;
|
||||||
|
--)
|
||||||
|
shift 1
|
||||||
|
break
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
exec gpgv "${gpgv_opts[@]}" --keyring "$debian_dir/upstream/signing-key.pgp" -- "$@"
|
|
@ -20,6 +20,7 @@ linux (4.9-1~exp1) UNRELEASED; urgency=medium
|
||||||
* Use debhelper compatibility level 9
|
* Use debhelper compatibility level 9
|
||||||
* [arm64] Revert "arm64/mm: Limit TASK_SIZE_64 ..." and add breaks on
|
* [arm64] Revert "arm64/mm: Limit TASK_SIZE_64 ..." and add breaks on
|
||||||
incompatible mozjs
|
incompatible mozjs
|
||||||
|
* genorig.py: Verify tag signatures (based on work by Yves-Alexis Perez)
|
||||||
|
|
||||||
[ Uwe Kleine-König ]
|
[ Uwe Kleine-König ]
|
||||||
* enable `perf data' support; patch by Sebastian Andrzej Siewior
|
* enable `perf data' support; patch by Sebastian Andrzej Siewior
|
||||||
|
|
Binary file not shown.
Loading…
Reference in New Issue