[dpkg] 02/02: Dpkg::OpenPGP: Use a temporary directory for the GnuPG homedir

Sun, 28 Jun 2020 08:24:39 -0700 

This is an automated email from the git hooks/post-receive script.

guillem pushed a commit to branch master
in repository dpkg.

View the commit online:
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7b2d550c64191597827350fa447bf9caf15b749a

commit 7b2d550c64191597827350fa447bf9caf15b749a (HEAD -> master)
Author: Guillem Jover <[email protected]>
AuthorDate: Sun Jun 28 17:02:49 2020 +0200

    Dpkg::OpenPGP: Use a temporary directory for the GnuPG homedir
    
    In import_key() when calling gpg we need to specify a temporary homedir
    to make sure we do not write to the user home directory, which might be
    read-only or non-existent.
    
    Reported-by: Mattia Rizzolo <[email protected]>
---
 debian/changelog        | 4 ++++
 scripts/Dpkg/OpenPGP.pm | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 427020380..471d5f424 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,6 +10,10 @@ dpkg (1.20.3) UNRELEASED; urgency=medium
     - Dpkg::Source::Package: Fix check_original_tarball_signature() to make
       import_key() honor require_valid_signature, which should default to
       false. Reported by Mattia Rizzolo <[email protected]>.
+    - Dpkg::OpenPGP: Use a temporary directory for the GnuPG homedir in
+      import_key(), to make sure we do not write to the user home directory,
+      which might be read-only or non-existent.
+      Reported by Mattia Rizzolo <[email protected]>.
 
   [ Updated programs translations ]
   * German (Sven Joachim).
diff --git a/scripts/Dpkg/OpenPGP.pm b/scripts/Dpkg/OpenPGP.pm
index 961c6df05..7ee330af3 100644
--- a/scripts/Dpkg/OpenPGP.pm
+++ b/scripts/Dpkg/OpenPGP.pm
@@ -20,6 +20,7 @@ use warnings;
 
 use POSIX qw(:sys_wait_h);
 use Exporter qw(import);
+use File::Temp;
 use File::Copy;
 
 use Dpkg::Gettext;
@@ -98,6 +99,10 @@ sub import_key {
                 $asc);
         return;
     }
+
+    my $gpghome = File::Temp->newdir("dpkg-import-key.XXXXXXXX", TMPDIR => 1);
+
+    push @exec, '--homedir', $gpghome;
     push @exec, '--no-options', '--no-default-keyring', '-q', '--import';
     push @exec, '--keyring', $opts{keyring};
     push @exec, $asc;

-- 
Dpkg.Org's dpkg

Reply via email to