commit: 9ef0d98aa9ca383b42e35c0b2364f9aa10c4aee0
Author: Kerin Millar <kfm <AT> plushkava <DOT> net>
AuthorDate: Mon Jun 16 12:09:48 2025 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Jun 17 03:00:40 2025 +0000
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=9ef0d98a
emerge-webrsync: don't specify the --no-default-keyring option
Presently, both the check_file_signature_gpg_unwrapped() and
gpg_verify() functions specify the --no-default-keyring option in the
course of executing gpg(1). However, its manual states that a keyring is
needed for almost all operations. Further, "if you use this option and
do not provide alternate keyrings via --keyring, then GnuPG will still
use the default keyring."
Signed-off-by: Kerin Millar <kfm <AT> plushkava.net>
Signed-off-by: Sam James <sam <AT> gentoo.org>
bin/emerge-webrsync | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync
index d15cbed310..d73361e6ce 100755
--- a/bin/emerge-webrsync
+++ b/bin/emerge-webrsync
@@ -306,7 +306,7 @@ check_file_signature_gpg_unwrapped() {
# ephemeral keyring into which Gentoo's distributed
# public key block shall be imported.
GNUPGHOME=$(mktemp -d --
"${PORTAGE_TMPDIR}/portage/webrsync.XXXXXX") \
- && gpg --no-default-keyring --batch --import "${key}" \
+ && gpg --batch --import "${key}" \
|| exit
elif [[ ! -w ${GNUPGHOME} ]]; then
die "gpgdir is not writable: ${GNUPGHOME}"
@@ -328,7 +328,7 @@ gpg_verify() {
local output token
#
https://www.gnupg.org/documentation/manuals/gnupg/Automated-signature-checking.html
- output=$(gpg --no-default-keyring --batch --status-fd 1 --verify
"${signature}" "${file}") || return
+ output=$(gpg --batch --status-fd 1 --verify "${signature}" "${file}")
|| return
for token in GOODSIG VALIDSIG TRUST_ULTIMATE; do
[[ $'\n'${output} == *$'\n[GNUPG:] '"${token} "* ]] || return
done