[tor-commits] [tor-browser-bundle/hardened-builds] Bug 19737: Allow git tag signatures made using an expired key

gk at torproject.org gk at torproject.org
Mon Aug 1 09:44:58 UTC 2016


commit c6458e49f9dd51708e22c84f26195c50d0ff2d0b
Author: Nicolas Vigier <boklm at torproject.org>
Date:   Wed Jul 27 22:53:19 2016 +0200

    Bug 19737: Allow git tag signatures made using an expired key
    
    We are adding a gitian/git-gpg-wrapper script which validates signatures
    made using an expired key. To do that, we use gpgv rather than gpg, and
    any EXPKEYSIG line from the gpg `--status-fd` output is replaced by a
    GOODSIG line.
---
 gitian/git-gpg-wrapper | 13 +++++++++++++
 gitian/verify-tags.sh  |  3 ++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/gitian/git-gpg-wrapper b/gitian/git-gpg-wrapper
new file mode 100644
index 0000000..f137d6d
--- /dev/null
+++ b/gitian/git-gpg-wrapper
@@ -0,0 +1,13 @@
+#!/bin/bash
+# This wrapper script is used by git to verify signatures made using
+# an expired key.
+# https://bugs.torproject.org/19737
+set -e
+if [ $# -eq 4 ] && [ "$1" = '--status-fd=1' ] \
+        && [ "$2" = '--verify' ]
+then
+    gpgv "$1" "$3" "$4" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /'
+    exit ${PIPESTATUS[0]}
+else
+    exec gpg "$@"
+fi
diff --git a/gitian/verify-tags.sh b/gitian/verify-tags.sh
index 5908801..8277fca 100755
--- a/gitian/verify-tags.sh
+++ b/gitian/verify-tags.sh
@@ -37,10 +37,11 @@ verify_git() {
 
   local gpghome=$(mktemp -d)
   echo "rm -rf '$gpghome'" >> "$CLEANUP"
-  GNUPGHOME="$gpghome" gpg --import "$keyring"
+  GNUPGHOME="$gpghome" gpg --no-default-keyring --keyring trustedkeys.gpg --import "$keyring"
 
   pushd .
   cd "$dir"
+  git config --local gpg.program "$WRAPPER_DIR/git-gpg-wrapper"
   if ! GNUPGHOME="$gpghome" git tag -v "$tag"; then
     echo >&2 "$dir: verification of tag $tag against $keyring failed!"
     exit 1





More information about the tor-commits mailing list