This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=e33b22419e7ac26934500910d152c3b90765889f commit e33b22419e7ac26934500910d152c3b90765889f Author: Guillem Jover <[email protected]> AuthorDate: Sun Jul 5 16:55:51 2020 +0200 Dpkg::OpenPGP: Use a temporary directory for the GnuPG homedir This time for the verify_signature() function, to make sure we do not write to the user home directory, except for the trustkeys.db file if present. --- debian/changelog | 3 +++ scripts/Dpkg/OpenPGP.pm | 3 +++ 2 files changed, 6 insertions(+) diff --git a/debian/changelog b/debian/changelog index da2f8c284..b3c56dd3c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,9 @@ dpkg (1.20.4) UNRELEASED; urgency=medium - Dpkg::Source::Package: Explicitly initialize constructor options to their implicit values, otherwise other code end up assuming different defaults. Closes: #964017 + - Dpkg::OpenPGP: Use a temporary directory for the GnuPG homedir in + verify_signature(), to make sure we do not write to the user home + directory, except for the trustkeys.db file if present. * Build system: - Add Module::Signature as configure recommends for CPAN. diff --git a/scripts/Dpkg/OpenPGP.pm b/scripts/Dpkg/OpenPGP.pm index deba0ec51..cf1b46610 100644 --- a/scripts/Dpkg/OpenPGP.pm +++ b/scripts/Dpkg/OpenPGP.pm @@ -142,6 +142,9 @@ sub verify_signature { $sig); return; } + + my $gpghome = File::Temp->newdir('dpkg-verify-sig.XXXXXXXX', TMPDIR => 1); + push @exec, '--homedir', $gpghome; foreach my $keyring (@{$opts{keyrings}}) { push @exec, '--keyring', $keyring; } -- Dpkg.Org's dpkg
