commit c6458e49f9dd51708e22c84f26195c50d0ff2d0b Author: Nicolas Vigier boklm@torproject.org Date: Wed Jul 27 22:53:19 2016 +0200
Bug 19737: Allow git tag signatures made using an expired key
We are adding a gitian/git-gpg-wrapper script which validates signatures made using an expired key. To do that, we use gpgv rather than gpg, and any EXPKEYSIG line from the gpg `--status-fd` output is replaced by a GOODSIG line. --- gitian/git-gpg-wrapper | 13 +++++++++++++ gitian/verify-tags.sh | 3 ++- 2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/gitian/git-gpg-wrapper b/gitian/git-gpg-wrapper new file mode 100644 index 0000000..f137d6d --- /dev/null +++ b/gitian/git-gpg-wrapper @@ -0,0 +1,13 @@ +#!/bin/bash +# This wrapper script is used by git to verify signatures made using +# an expired key. +# https://bugs.torproject.org/19737 +set -e +if [ $# -eq 4 ] && [ "$1" = '--status-fd=1' ] \ + && [ "$2" = '--verify' ] +then + gpgv "$1" "$3" "$4" | sed 's/^[GNUPG:] EXPKEYSIG /[GNUPG:] GOODSIG /' + exit ${PIPESTATUS[0]} +else + exec gpg "$@" +fi diff --git a/gitian/verify-tags.sh b/gitian/verify-tags.sh index 5908801..8277fca 100755 --- a/gitian/verify-tags.sh +++ b/gitian/verify-tags.sh @@ -37,10 +37,11 @@ verify_git() {
local gpghome=$(mktemp -d) echo "rm -rf '$gpghome'" >> "$CLEANUP" - GNUPGHOME="$gpghome" gpg --import "$keyring" + GNUPGHOME="$gpghome" gpg --no-default-keyring --keyring trustedkeys.gpg --import "$keyring"
pushd . cd "$dir" + git config --local gpg.program "$WRAPPER_DIR/git-gpg-wrapper" if ! GNUPGHOME="$gpghome" git tag -v "$tag"; then echo >&2 "$dir: verification of tag $tag against $keyring failed!" exit 1