On 11/27/24 4:57 PM, Sam James wrote: > Eli Schwartz <eschwa...@gentoo.org> writes: >> +# @EXAMPLE: >> +# Example use: >> +# >> +# @CODE >> +# SEC_KEYS_VALIDPGPKEYS=( >> +# '4EC8A4DB7D2E01C00AF36C49E5C587B5E286C65A:jsmith:github' >> +# ) > > Can you expand the example(s) here maybe with some comments in the array > to help people see when it might be suitable to use e.g. none with a mix > of github?
Sure, good idea. >> +# @FUNCTION: sec-keys_src_compile >> +# @DESCRIPTION: >> +# Default src_compile override that imports all public keys into a keyring, >> +# and validates that they are listed in SEC_KEYS_VALIDPGPKEYS. >> +sec-keys_src_compile() { >> + local -x GNUPGHOME=${WORKDIR}/gnupg >> + mkdir -m700 -p "${GNUPGHOME}" || die > > Is there any value in using gemato's gpg-wrap for this function? I don't think so. The main use case for gemato that I see is it automatically entering a tempdir context based on a keyfile. We need to support multiple keyfiles, including ebuild-specified SRC_URI that may not be ascii-armored and cannot be concatenated together, which means in order to get to a point where gpg-wrap can be used to run one-off commands using a keyfile in which gemato wraps the creation of a keyring... we've basically done all the work we actually wanted to do. >> + local extra_keys=($(comm -23 imported_keys.list allowed_keys.list || >> die)) >> + local missing_keys=($(comm -13 imported_keys.list allowed_keys.list || >> die)) > > Any reason to not readarray this instead? The files each contain a list of words (PGP fingerprint, consisting of characters matching [0-9A-F] and nothing else), with the only whitspace in the file being newline characters. Both readarray and command substitution tokenize this the same. I'm not sure it particularly matters which one to use, but command substitution can be done on one line (local variable=($(command || die)) ) whereas readarray requires two lines (local -a variable; readarray -t varlist < <(command || die) ) and you have to remember to use -t and -a. I don't think readarray provides any functionality we need here. >> + for fingerprint in "${SEC_KEYS_VALIDPGPKEYS[@]%%:*}"; do >> + local uids=() >> + mapfile -t uids < <("${gpg_command[@]}" --list-key >> --with-colons ${fingerprint} | awk -F: '/^uid/{print $10}' || die) >> + edo "${gpg_command[@]}" "${uids[@]/#/--comment=}" --export >> --armor "${fingerprint}" >> ${PN#openpgp-keys-}.asc || die > > No need for the die here. Right, I probably forgot to remove this when I switched to edo. -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature