Hi folks,
The attached log first chunk shows that new downloads especially GnuPG and GNU
packages may be signed with keys not recognized by old gnupg/gpg.
After applying the attached patches, which add support for the newer gpg2 from
gnupg2 if installed, the attached log second chunk shows the new keys verified
by gpg2 added to lib/src_prep.cygpart ___gpg_verify().
Similar code has been added to lib/pkg_pkg.cygpart __pkg_srcpkg() for check and
definition and __gpg_sign() for use in gpg signing of Cygwin patches and files.
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry>>> Preparing gpgme-1.23.1-1.x86_64
*** Info: SOURCE 1 signature follows:
gpg: Signature made 2023 Oct 27 Fri 06:41:07 MDT using ? key ID 26403ADA
gpg: Can't check signature: unknown pubkey algorithm
gpg: Signature made 2023 Nov 14 Tue 17:50:43 MST using ? key ID 19C6C8BD
gpg: Can't check signature: unknown pubkey algorithm
>>> Preparing gpgme-1.23.1-1.x86_64
*** Info: SOURCE 1 signature follows:
gpg: Signature made 2023 Oct 27 Fri 06:41:07 MDT
gpg: using EDDSA key 6DAA6E64A76D2840571B4902528897B826403ADA
gpg: Good signature from "Werner Koch (dist signing 2020)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
gpg: Signature made 2023 Nov 14 Tue 17:50:43 MST
gpg: using EDDSA key AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD
gpg: Good signature from "Niibe Yutaka (GnuPG Release Key)" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD
--- /usr/share/cygport/lib/pkg_pkg.cygpart.orig 2023-03-08 06:07:57.000000000
-0700
+++ /usr/share/cygport/lib/pkg_pkg.cygpart 2023-11-19 21:13:16.879391200
-0700
@@ -505,7 +505,7 @@ __gpg_sign() {
echo "${2} signature needs to be updated";
rm -f ${1}.sig;
# we 'check_prog gpg' in __pkg_srcpkg()
- gpg --detach-sign ${1};
+ $GPG --detach-sign ${1};
}
__squeeze_whitespace() {
@@ -563,7 +563,9 @@ __pkg_srcpkg() {
if __arg_bool SIG
then
- if check_prog gpg
+ if check_prog gpg2; then GPG=gpg2; else GPG=gpg; fi
+
+ if check_prog $GPG
then
__gpg_sign ${spkgdir}/${cygportfile} "CYGPORT SCRIPT";
@@ -583,14 +585,15 @@ __pkg_srcpkg() {
__gpg_sign ${spkgdir}/${src_patchfile} "SOURCE
PATCH";
fi
else
- inform "gnupg must be installed in order to make
signatures.";
+ inform "gnupg2 or gnupg must be installed in order to
make signatures.";
fi
fi
cd ${spkgdir%/*};
mkdir -p ${distdir}/${PN};
- __tar ${distdir}/${PN}/${PF}-src.tar.${TAR_COMPRESSION_EXT}
${spkgdir##*/}/ || error "Source package creation failed"
+ __tar ${distdir}/${PN}/${PF}-src.tar.${TAR_COMPRESSION_EXT}
${spkgdir##*/}/ \
+ || error "Source package creation failed"
echo;
# source package hint
--- /usr/share/cygport/lib/src_prep.cygpart.orig 2023-11-19
18:51:13.284177300 -0700
+++ /usr/share/cygport/lib/src_prep.cygpart 2023-11-19 21:00:35.754036900
-0700
@@ -181,12 +181,14 @@ __gpg_verify() {
local _filetype=${2};
local _sigext=${3:-sig};
- if ! check_prog gpg && ! check_prog gpg2
+ if check_prog gpg2; then GPG=gpg2; else GPG=gpg; fi
+
+ if ! check_prog $GPG
then
# display notice only once
if ! defined _gpg_not_found_
then
- inform "gnupg or gnupg2 must be installed in order to
check signatures.";
+ inform "gnupg2 or gnupg must be installed in order to
check signatures.";
_gpg_not_found_=1
fi
@@ -195,7 +197,6 @@ __gpg_verify() {
if [ -f ${_file}.${_sigext} ]
then
- [ check_prog gpg2 ] && GPG=gpg2 || GPG=gpg
inform "${_filetype} signature follows:";
$GPG --verify ${_file}.${_sigext} ${_file} || true;
fi
