[gentoo-commits] proj/portage:master commit in: bin/

Thu, 25 May 2023 18:33:18 -0700 

commit:     b8ab8e1c850b773dd17e503a22902b52a2d3a868
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat May 20 08:13:29 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri May 26 01:33:03 2023 +0000
URL:        https://gitweb.gentoo.org/proj/portage.git/commit/?id=b8ab8e1c

emerge-webrsync: create a new temporary dir for legacy gpg verification

It's possible that we can't read /root/.gnupg and we shouldn't
be poking around in there anyway.

However, if the user is setting PORTAGE_GPG_DIR by themselves,
it's their responsibility to handle the directory being in the
right state (e.g. has the right keys imported).

- If PORTAGE_GPG_DIR is unset, make a tmpdir w/ mktemp.
- If we're using that temporary directory we just created, import 
PORTAGE_GPG_KEY,
as before defaulting to /usr/share/openpgp-keys/gentoo-release.asc.

Bug: https://bugs.gentoo.org/905868
Signed-off-by: Sam James <sam <AT> gentoo.org>
Closes: https://github.com/gentoo/portage/pull/1042
Signed-off-by: Sam James <sam <AT> gentoo.org>

 bin/emerge-webrsync | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync
index a84f68aa1..956e00e1f 100755
--- a/bin/emerge-webrsync
+++ b/bin/emerge-webrsync
@@ -314,7 +314,26 @@ check_file_signature_gpg_unwrapped() {
        local file="$2"
 
        if type -P gpg > /dev/null; then
-               if gnupg_status=$(gpg --homedir "${PORTAGE_GPG_DIR}" --batch \
+               if [[ -n ${PORTAGE_GPG_KEY} ]] ; then
+                       local key="${PORTAGE_GPG_KEY}"
+               else
+                       local 
key="${EPREFIX:-/}"/usr/share/openpgp-keys/gentoo-release.asc
+               fi
+
+               local gpgdir="${PORTAGE_GPG_DIR}"
+               if [[ -z ${gpgdir} ]] ; then
+                       gpgdir=$(mktemp -d 
"${PORTAGE_TMPDIR}/portage/webrsync-XXXXXX")
+                       if [[ ! -w ${gpgdir} ]] ; then
+                               die "gpgdir is not writable: ${gpgdir}"
+                       fi
+
+                       # If we're created our own temporary directory, it's 
okay for us
+                       # to import the keyring by ourselves. But we'll avoid 
doing it
+                       # if the user has set PORTAGE_GPG_DIR by themselves.
+                       gpg --no-default-keyring --homedir "${gpgdir}" --batch 
--import "${key}"
+               fi
+
+               if gnupg_status=$(gpg --no-default-keyring --homedir 
"${gpgdir}" --batch \
                        --status-fd 1 --verify "${signature}" "${file}"); then
                        while read -r line; do
                                if [[ ${line} == "[GNUPG:] GOODSIG"* ]]; then

Reply via email to