commit b0940e469f9c6d0ac0b1533a229bc0519255caaa Author: Isis Lovecruft isis@torproject.org Date: Wed Apr 23 01:47:50 2014 +0000
Fix default GPGHOMEDIR setting in libgpgme context.
GPGME was using the process owner's default GPGHOMEDIR directory, regardless of any keyfiles specified, meaning that if there were any other non-signing enabled secret keys in the keyrings, and one of the other keys was first on the secret keyring, that first key would be used for signing rather than the secret key in the specified keyfile.
* FIX problem detailed in comment 11 on #5463: https://trac.torproject.org/projects/tor/ticket/5463#comment:11 --- lib/bridgedb/crypto.py | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+)
diff --git a/lib/bridgedb/crypto.py b/lib/bridgedb/crypto.py index 2feb556..e8cf8fd 100644 --- a/lib/bridgedb/crypto.py +++ b/lib/bridgedb/crypto.py @@ -56,6 +56,7 @@ from Crypto.Cipher import PKCS1_OAEP from Crypto.PublicKey import RSA
from twisted.internet import ssl +from twisted.python.procutils import which
#: The hash digest to use for HMACs. @@ -79,6 +80,12 @@ except TypeError: else: NEW_BUFFER_INTERFACE = True
+#: Settings for the GPGME Context and `Crypto Engine`_. +#: .. _`Crypto Engine`: +#: http://www.gnupg.org/documentation/manuals/gpgme/Crypto-Engine.html#Crypto-E... +GPGME_CONTEXT_HOMEDIR = '.gnupg' +GPGME_CONTEXT_BINARY = which('gpg2') or which('gpg') # These will be lists +
class RSAKeyGenerationError(Exception): """Raised when there was an error creating an RSA keypair.""" @@ -334,6 +341,22 @@ def getGPGContext(cfg): ctx = gpgme.Context()
try: + binary = GPGME_CONTEXT_BINARY[0] + except Exception: + # Setting this to ``None`` will cause libgpgme to "use the default + # binary", according their docs: + binary = None + + try: + homedir = os.path.abspath(GPGME_CONTEXT_HOMEDIR) + logging.debug("Setting GPG homedir to %r" % homedir) + if not os.path.isdir(homedir): + os.makedirs(homedir) + # This is done to ensure that we don't ever use keys in the process + # owner's $GNUPGHOME directory, see: + # http://www.gnupg.org/documentation/manuals/gpgme/Crypto-Engine.html#Crypto-E... + ctx.set_engine_info(gpgme.PROTOCOL_OpenPGP, binary, homedir) + logging.debug("Opening GPG keyfile %s..." % cfg.EMAIL_GPG_SIGNING_KEY) keyfile = open(cfg.EMAIL_GPG_SIGNING_KEY) key = ctx.import_(keyfile)