[tbb-commits] [tor-browser-bundle/master] Bug 19737: Allow git tag signatures made using an expired key
gk at torproject.org
gk at torproject.org
Sat Jul 30 10:51:04 UTC 2016
commit 7923b2184b46d4f9b861db256f28e00ee47d390d
Author: Nicolas Vigier <boklm at torproject.org>
Date: Wed Jul 27 22:53:19 2016 +0200
Bug 19737: Allow git tag signatures made using an expired key
We are adding a gitian/git-gpg-wrapper script which validates signatures
made using an expired key. To do that, we use gpgv rather than gpg, and
any EXPKEYSIG line from the gpg `--status-fd` output is replaced by a
GOODSIG line.
---
gitian/git-gpg-wrapper | 13 +++++++++++++
gitian/verify-tags.sh | 3 ++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/gitian/git-gpg-wrapper b/gitian/git-gpg-wrapper
new file mode 100644
index 0000000..f137d6d
--- /dev/null
+++ b/gitian/git-gpg-wrapper
@@ -0,0 +1,13 @@
+#!/bin/bash
+# This wrapper script is used by git to verify signatures made using
+# an expired key.
+# https://bugs.torproject.org/19737
+set -e
+if [ $# -eq 4 ] && [ "$1" = '--status-fd=1' ] \
+ && [ "$2" = '--verify' ]
+then
+ gpgv "$1" "$3" "$4" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /'
+ exit ${PIPESTATUS[0]}
+else
+ exec gpg "$@"
+fi
diff --git a/gitian/verify-tags.sh b/gitian/verify-tags.sh
index 7d92e36..baea827 100755
--- a/gitian/verify-tags.sh
+++ b/gitian/verify-tags.sh
@@ -37,10 +37,11 @@ verify_git() {
local gpghome=$(mktemp -d)
echo "rm -rf '$gpghome'" >> "$CLEANUP"
- GNUPGHOME="$gpghome" gpg --import "$keyring"
+ GNUPGHOME="$gpghome" gpg --no-default-keyring --keyring trustedkeys.gpg --import "$keyring"
pushd .
cd "$dir"
+ git config --local gpg.program "$WRAPPER_DIR/git-gpg-wrapper"
if ! GNUPGHOME="$gpghome" git tag -v "$tag"; then
echo >&2 "$dir: verification of tag $tag against $keyring failed!"
exit 1
More information about the tbb-commits
mailing list