[gentoo-commits] proj/portage:master commit in: bin/

Wed, 18 Jun 2025 02:52:16 -0700 

commit:     f60e84241e16235f61bfd791492b4a80480e464b
Author:     Kerin Millar <kfm <AT> plushkava <DOT> net>
AuthorDate: Wed Jun 18 04:07:05 2025 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jun 18 09:51:58 2025 +0000
URL:        https://gitweb.gentoo.org/proj/portage.git/commit/?id=f60e8424

emerge-webrsync: don't check whether gpg(1) exists in 
check_file_signature_gpg_unwrapped()

As concerns the check_file_signature_gpg_unwrapped() function, refrain
from checking whether the gpg(1) utility can be found in PATH. This is
what I would refer to as a pointless proxy check. One need not care
whether gpg(1) can be found in PATH. For if it cannot be found then the
first invocation of it shall fail, in which case, so be it. Let it fail!

Having dispensed with the proxy check, it can be seen that the
diagnostic message raised by the shell is sufficiently clear.

 * Checking digest ...
 * Checking signature ...
 * Falling back to gpg as gemato is not installed
/usr/bin/emerge-webrsync: line 335: gpg: command not found

I would add that proxy checks are loved by programmers who have a
tendency to avoid thinking about the matter of error handling in
general, exhibiting no diligence whatsover in this respect. Whensoever I
encounter such checks, I am immediately inclined to regard them as a
potential red flag. As a case in point, prior to my working on the
emerge-webrsync utility, the very first invocation of gpg(1) in this
function was bereft of an error check. For that matter, just because
type -P indicates that a given utility exists in PATH, it is by no means
guaranteed that it exists at the point of attempted execution.

Now, testing for the existence of a required utility can be a reasonable
thing to do before undergoing any substantive work and thus wasting the
user's time. Yet, had that genuinely been the intent, the check in
question would not have been situated within this particular function to
begin with.

Signed-off-by: Kerin Millar <kfm <AT> plushkava.net>
Signed-off-by: Sam James <sam <AT> gentoo.org>

 bin/emerge-webrsync | 56 +++++++++++++++++++++++++----------------------------
 1 file changed, 26 insertions(+), 30 deletions(-)

diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync
index 174df11aad..f6a1a0de24 100755
--- a/bin/emerge-webrsync
+++ b/bin/emerge-webrsync
@@ -291,40 +291,36 @@ check_file_signature_gpg_unwrapped() {
        local fingerprint key
        local -x GNUPGHOME
 
-       if ! type -P gpg > /dev/null; then
-               die "cannot check signature: gpg binary not found"
+       if [[ -n ${PORTAGE_GPG_KEY} ]] ; then
+               key="${PORTAGE_GPG_KEY}"
        else
-               if [[ -n ${PORTAGE_GPG_KEY} ]] ; then
-                       key="${PORTAGE_GPG_KEY}"
-               else
-                       
key="${EPREFIX}/usr/share/openpgp-keys/gentoo-release.asc"
-               fi
+               key="${EPREFIX}/usr/share/openpgp-keys/gentoo-release.asc"
+       fi
 
-               if [[ ! -f "${key}" ]] ; then
-                       eerror "${key} not available. Is 
sec-keys/openpgp-keys-gentoo-release installed?"
-                       die "Needed keys unavailable! Install its package or 
set PORTAGE_GPG_KEY to the right path."
-               fi
+       if [[ ! -f "${key}" ]] ; then
+               eerror "${key} not available. Is 
sec-keys/openpgp-keys-gentoo-release installed?"
+               die "Needed keys unavailable! Install its package or set 
PORTAGE_GPG_KEY to the right path."
+       fi
 
-               if [[ ! ${GNUPGHOME=${PORTAGE_GPG_DIR}} ]]; then
-                       # The PORTAGE_GPG_DIR variable is either unset or
-                       # empty. Create a temporary directory to contain an
-                       # ephemeral keyring into which Gentoo's distributed
-                       # public key block shall be imported.
-                       GNUPGHOME=$(mktemp -d -- 
"${PORTAGE_TMPDIR}/portage/webrsync.XXXXXX") \
-                       && gpg --batch --import "${key}" \
-                       && fingerprint=$(gpg_fingerprint 
'<[email protected]>') \
-                       && gpg --batch --import-ownertrust 
<<<"${fingerprint}:6:" \
-                       || exit
-               elif [[ ! -w ${GNUPGHOME} ]]; then
-                       die "gpgdir is not writable: ${GNUPGHOME}"
-               fi
+       if [[ ! ${GNUPGHOME=${PORTAGE_GPG_DIR}} ]]; then
+               # The PORTAGE_GPG_DIR variable is either unset or
+               # empty. Create a temporary directory to contain an
+               # ephemeral keyring into which Gentoo's distributed
+               # public key block shall be imported.
+               GNUPGHOME=$(mktemp -d -- 
"${PORTAGE_TMPDIR}/portage/webrsync.XXXXXX") \
+               && gpg --batch --import "${key}" \
+               && fingerprint=$(gpg_fingerprint '<[email protected]>') 
\
+               && gpg --batch --import-ownertrust <<<"${fingerprint}:6:" \
+               || exit
+       elif [[ ! -w ${GNUPGHOME} ]]; then
+               die "gpgdir is not writable: ${GNUPGHOME}"
+       fi
 
-               if ! gpg_verify "${signature}" "${file}"; then
-                       # Exit early since it's typically inappropriate to try
-                       # other mirrors in this case (it may indicate a keyring
-                       # problem).
-                       die "signature verification failed"
-               fi
+       if ! gpg_verify "${signature}" "${file}"; then
+               # Exit early since it's typically inappropriate to try
+               # other mirrors in this case (it may indicate a keyring
+               # problem).
+               die "signature verification failed"
        fi
 }

Reply via email to