commit: b8ab8e1c850b773dd17e503a22902b52a2d3a868 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sat May 20 08:13:29 2023 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Fri May 26 01:33:03 2023 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=b8ab8e1c
emerge-webrsync: create a new temporary dir for legacy gpg verification It's possible that we can't read /root/.gnupg and we shouldn't be poking around in there anyway. However, if the user is setting PORTAGE_GPG_DIR by themselves, it's their responsibility to handle the directory being in the right state (e.g. has the right keys imported). - If PORTAGE_GPG_DIR is unset, make a tmpdir w/ mktemp. - If we're using that temporary directory we just created, import PORTAGE_GPG_KEY, as before defaulting to /usr/share/openpgp-keys/gentoo-release.asc. Bug: https://bugs.gentoo.org/905868 Signed-off-by: Sam James <sam <AT> gentoo.org> Closes: https://github.com/gentoo/portage/pull/1042 Signed-off-by: Sam James <sam <AT> gentoo.org> bin/emerge-webrsync | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync index a84f68aa1..956e00e1f 100755 --- a/bin/emerge-webrsync +++ b/bin/emerge-webrsync @@ -314,7 +314,26 @@ check_file_signature_gpg_unwrapped() { local file="$2" if type -P gpg > /dev/null; then - if gnupg_status=$(gpg --homedir "${PORTAGE_GPG_DIR}" --batch \ + if [[ -n ${PORTAGE_GPG_KEY} ]] ; then + local key="${PORTAGE_GPG_KEY}" + else + local key="${EPREFIX:-/}"/usr/share/openpgp-keys/gentoo-release.asc + fi + + local gpgdir="${PORTAGE_GPG_DIR}" + if [[ -z ${gpgdir} ]] ; then + gpgdir=$(mktemp -d "${PORTAGE_TMPDIR}/portage/webrsync-XXXXXX") + if [[ ! -w ${gpgdir} ]] ; then + die "gpgdir is not writable: ${gpgdir}" + fi + + # If we're created our own temporary directory, it's okay for us + # to import the keyring by ourselves. But we'll avoid doing it + # if the user has set PORTAGE_GPG_DIR by themselves. + gpg --no-default-keyring --homedir "${gpgdir}" --batch --import "${key}" + fi + + if gnupg_status=$(gpg --no-default-keyring --homedir "${gpgdir}" --batch \ --status-fd 1 --verify "${signature}" "${file}"); then while read -r line; do if [[ ${line} == "[GNUPG:] GOODSIG"* ]]; then