commit: c9147587da34ecf6cd19bf1ed2d0835d3d8c1777
Author: Kerin Millar <kfm <AT> plushkava <DOT> net>
AuthorDate: Wed Jun 18 11:33:15 2025 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jun 18 20:01:00 2025 +0000
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=c9147587
emerge-webrsync: stop gpg-agent(1) lingering for ephemeral GNUPGHOME dirs
As concerns the check_file_signature_gpg() function, it is possible for
the value of the 'GNUPGHOME' environment variable to be the path of a
temporary directory created by mktemp(1). In that case, the directory is
guaranteed to be removed upon emerge-webrsync exiting. However, a
defunct gpg-agent(1) process will persist for the deleted directory.
Address this issue by declaring the function as a compound command of
the ( … ) form, which declares its own EXIT trap. The trap shall execute
gpgconf(1) in a way that terminates the gpg-agent(1) process that would
otherwise linger.
Signed-off-by: Kerin Millar <kfm <AT> plushkava.net>
Signed-off-by: Sam James <sam <AT> gentoo.org>
bin/emerge-webrsync | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync
index 7140a757db..de5eb5d03b 100755
--- a/bin/emerge-webrsync
+++ b/bin/emerge-webrsync
@@ -278,7 +278,7 @@ check_file_signature_gemato() {
fi
}
-check_file_signature_gpg() {
+check_file_signature_gpg() (
local signature=$1 file=$2
local fingerprint key
local -x GNUPGHOME
@@ -304,6 +304,7 @@ check_file_signature_gpg() {
# ephemeral keyring into which Gentoo's distributed
# public key block shall be imported.
GNUPGHOME=$(mktemp -d --
"${PORTAGE_TMPDIR}/portage/webrsync.XXXXXX") \
+ && trap 'gpgconf -K pgp-agent' EXIT \
&& gpg --batch --import "${key}" \
&& fingerprint=$(gpg_fingerprint '<[email protected]>')
\
&& gpg --batch --import-ownertrust <<<"${fingerprint}:6:" \
@@ -313,7 +314,7 @@ check_file_signature_gpg() {
fi
gpg_verify "${signature}" "${file}"
-}
+)
gpg_fingerprint() {
local -a fields
