commit: 275d9ae9a8265df5c3b9d1d1a76902267aa4a9d5 Author: Brian Dolbec <dolsen <AT> gentoo <DOT> org> AuthorDate: Fri Dec 26 04:57:35 2014 +0000 Commit: Brian Dolbec <brian.dolbec <AT> gmail <DOT> com> CommitDate: Fri Dec 26 04:57:35 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/gentoo-keys.git;a=commit;h=275d9ae9
gkeys: Update fetchseed, verify actions to work with the new category system --- gkeys/etc/gkeys.conf | 22 ++++++++++++++++++++-- gkeys/etc/gkeys.conf.sample | 22 ++++++++++++++++++++-- gkeys/gkeys/actions.py | 30 ++++++++++++++++++------------ gkeys/gkeys/config.py | 2 ++ gkeys/gkeys/seedhandler.py | 11 ++++++----- 5 files changed, 66 insertions(+), 21 deletions(-) diff --git a/gkeys/etc/gkeys.conf b/gkeys/etc/gkeys.conf index 3c79243..d9a42c0 100644 --- a/gkeys/etc/gkeys.conf +++ b/gkeys/etc/gkeys.conf @@ -20,6 +20,11 @@ gkeysdir: /var/lib/gentoo/gkeys keyring: %(gkeysdir)s/keyrings +# The default keyring to use +# for verification if not specified +verify-keyring: gentoo + + # Base directory to use as the path prefix to use # for the signing capable keyrings, keyring settings # eg: '/' for root if absolute paths are used for homedir, keyring @@ -48,8 +53,12 @@ files: 0o002 [seeds] -# *-seedfile: json txt file of name, keyid, fingerprint -# entry per line +# file is a json text file of: nick, name, keydir, fingerprint +# one file per line +# category = category or seedfile name +# these categories/seedfile nmaes are used for the +# -C, --category input value validations +# eg: category: filepath gentoo: %(seedsdir)s/gentoo.seeds gentoo-devs: %(seedsdir)s/gentoo-devs.seeds @@ -62,6 +71,15 @@ gentoo: https://api.gentoo.org/gentoo-keys/seeds/gentoo.seeds gentoo-devs: https://api.gentoo.org/gentoo-keys/seeds/gentoo-devs.seeds +[verify-seeds] + +# mapping of the seedfile category name +# to the category-name and gpg-key keydir to use to verify the seedfile +# seedfile-name: category keydir +gentoo: gentoo gkeys +gentoo-devs: gentoo gkeys + + [sign] # GKEY nick used for verification of seeds and other gkey files diff --git a/gkeys/etc/gkeys.conf.sample b/gkeys/etc/gkeys.conf.sample index 3c79243..d9a42c0 100644 --- a/gkeys/etc/gkeys.conf.sample +++ b/gkeys/etc/gkeys.conf.sample @@ -20,6 +20,11 @@ gkeysdir: /var/lib/gentoo/gkeys keyring: %(gkeysdir)s/keyrings +# The default keyring to use +# for verification if not specified +verify-keyring: gentoo + + # Base directory to use as the path prefix to use # for the signing capable keyrings, keyring settings # eg: '/' for root if absolute paths are used for homedir, keyring @@ -48,8 +53,12 @@ files: 0o002 [seeds] -# *-seedfile: json txt file of name, keyid, fingerprint -# entry per line +# file is a json text file of: nick, name, keydir, fingerprint +# one file per line +# category = category or seedfile name +# these categories/seedfile nmaes are used for the +# -C, --category input value validations +# eg: category: filepath gentoo: %(seedsdir)s/gentoo.seeds gentoo-devs: %(seedsdir)s/gentoo-devs.seeds @@ -62,6 +71,15 @@ gentoo: https://api.gentoo.org/gentoo-keys/seeds/gentoo.seeds gentoo-devs: https://api.gentoo.org/gentoo-keys/seeds/gentoo-devs.seeds +[verify-seeds] + +# mapping of the seedfile category name +# to the category-name and gpg-key keydir to use to verify the seedfile +# seedfile-name: category keydir +gentoo: gentoo gkeys +gentoo-devs: gentoo gkeys + + [sign] # GKEY nick used for verification of seeds and other gkey files diff --git a/gkeys/gkeys/actions.py b/gkeys/gkeys/actions.py index de8446d..dddd48a 100644 --- a/gkeys/gkeys/actions.py +++ b/gkeys/gkeys/actions.py @@ -34,7 +34,7 @@ Action_Options = { 'addseed': ['nick', 'name', 'keydir', 'fingerprint', 'category'], 'removeseed': ['nick', 'name', 'keydir', 'fingerprint', 'category'], 'moveseed': ['nick', 'name', 'keydir', 'fingerprint', 'category', 'dest'], - 'fetchseed': ['nick', 'name', 'keydir', 'fingerprint', 'category'], + 'fetchseed': ['nick', 'name', 'keydir', 'fingerprint', 'category', 'keyring'], 'listseedfiles': [], 'listkey': ['nick', 'name', 'keydir', 'fingerprint', 'category', 'keyring', 'gpgsearch', 'keyid'], 'installkey': ['nick', 'name', 'keydir', 'fingerprint', 'category', 'keyring', '1file'], @@ -42,7 +42,7 @@ Action_Options = { 'movekey': ['nick', 'name', 'keydir', 'fingerprint', 'category', 'keyring', 'dest'], 'installed': ['nick', 'name', 'keydir', 'fingerprint', 'category', 'keyring'], 'importkey': ['nick', 'name', 'keydir', 'fingerprint', 'category', 'keyring'], - 'verify': ['dest', 'nick', 'name', 'keydir', 'fingerprint', 'category', '1file', 'signature', 'keyring', 'timestamp'], + 'verify': ['dest', 'nick', 'name', 'keydir', 'fingerprint', 'category', '1file', 'signature', 'timestamp'], 'checkkey': ['nick', 'name', 'keydir', 'fingerprint', 'category', 'keyring', 'keyid'], 'sign': ['nick', 'name', 'keydir', 'fingerprint', 'file', 'keyring'], 'speccheck': ['nick', 'name', 'keydir', 'fingerprint', 'category', 'keyring', 'keyid'], @@ -80,6 +80,10 @@ class Actions(object): def fetchseed(self, args): '''Download the selected seed file(s)''' self.logger.debug("ACTIONS: fetchseed; args: %s" % str(args)) + if not args.keyring: + verify_info = self.config.get_key('verify-seeds', args.category).split() + args.keyring = verify_info[0] + args.nick = verify_info[1] handler = SeedHandler(self.logger, self.config) success, messages = handler.fetch_seeds(args.category, args, self.verify) @@ -606,13 +610,15 @@ class Actions(object): if not args.filename: return (False, ['Please provide a signed file.']) if not args.category: - args.category = 'gentoo' - (success, data) = self.installed(args) - keys = data[1] + args.category = self.config.get_key('verify_keyring') + self.logger.debug("ACTIONS: verify; keyring category not specified, using default: %s" + % args.category) + handler = SeedHandler(self.logger, self.config) + keys = handler.load_category(args.category) if not keys: return (False, ['No installed keys found, try installkey action.']) - keyring = self.config.get_key('keyring') - catdir = os.path.join(keyring, args.category) + keyrings = self.config.get_key('keyring') + catdir = os.path.join(keyrings, args.category) self.logger.debug("ACTIONS: verify; catdir = %s" % catdir) self.gpg = GkeysGPG(self.config, catdir) filepath, signature = args.filename, args.signature @@ -672,11 +678,11 @@ class Actions(object): messages = [] self.logger.info("Verifying file...") verified = False - # get correct key to use - use_gkey = self.config.get_key('seedurls', 'gkey') - for key in keys: - if key.nick == use_gkey: - break + key = keys.nick_search(args.nick) + if not key: + messages.append("Failed to find nick: %s in %s category" + % (args.nick, args.category)) + return (False, messages) results = self.gpg.verify_file(key, sig_path, filepath) keyid = key.keyid[0] (valid, trust) = results.verified diff --git a/gkeys/gkeys/config.py b/gkeys/gkeys/config.py index 7e31909..6eba2b3 100644 --- a/gkeys/gkeys/config.py +++ b/gkeys/gkeys/config.py @@ -90,6 +90,8 @@ class GKeysConfig(GPGConfig): 'keyring': None, 'type': 'clearsign', } + self.defaults['verify-keyring'] = '' + self.defaults['verify-seeds'] = {} def read_config(self): diff --git a/gkeys/gkeys/seedhandler.py b/gkeys/gkeys/seedhandler.py index 0e66b69..bb233f9 100644 --- a/gkeys/gkeys/seedhandler.py +++ b/gkeys/gkeys/seedhandler.py @@ -130,18 +130,19 @@ class SeedHandler(object): seedurl = self.config.get_key('seedurls', seed) seedpath = self.config.get_key('seeds', seed) if http_check.match(seedurl): - urls.extend([(seedurl, seedpath)]) + urls.extend([(seed, seedurl, seedpath)]) else: - self.logger.info("Wrong seed file URLs... Switching to default URLs.") - urls.extend([(self.config['seedurls'][seed], seedpath)]) + self.logger.info("Wrong seed file URLs... Skipping: %s" % seed) except KeyError: pass succeeded = [] seedsdir = self.config.get_key('seedsdir') mode = int(self.config.get_key('permissions', 'directories'),0) ensure_dirs(seedsdir, mode=mode) - for (url, filepath) in urls: - args.category = 'rel' + for (seed, url, filepath) in urls: + verify_info = self.config.get_key('verify-seeds', seed).split() + args.category = verify_info[0] + args.nick = verify_info[1] args.filename = url args.signature = None args.timestamp = True
