On Tue, Jan 16, 2018 at 11:43 AM, Michał Górny <mgo...@gentoo.org> wrote:
> Include a repo.postsync.d hook to verify the rsync checkout using > gemato. Given that not all people will want to have it enabled > unconditionally, no setup.py rules are included -- instead, the file > would be installed conditionally by the ebuild. > > [v2: included link to the wiki page] > --- > MANIFEST.in | 2 +- > misc/repo.postsync.d/00gemato | 18 ++++++++++++++++++ > 2 files changed, 19 insertions(+), 1 deletion(-) > create mode 100644 misc/repo.postsync.d/00gemato > > diff --git a/MANIFEST.in b/MANIFEST.in > index 4f6cac162..edc6704e7 100644 > --- a/MANIFEST.in > +++ b/MANIFEST.in > @@ -14,4 +14,4 @@ include cnf/make.conf.example.* > include .portage_not_installed > > # extra scripts > -include misc/* > +graft misc > diff --git a/misc/repo.postsync.d/00gemato b/misc/repo.postsync.d/00gemato > new file mode 100644 > index 000000000..f2af50925 > --- /dev/null > +++ b/misc/repo.postsync.d/00gemato > @@ -0,0 +1,18 @@ > +#!/bin/bash > +# repo.postsync.d hook to verify ::gentoo checkout using gemato > + > +name=${1} > +url=${2} > +path=${3} > + > +# keyring installed by gentoo-keys > +openpgp_key=/var/lib/gentoo/gkeys/keyrings/gentoo/release/pubring.gpg > This seems a bit leaky to me. Possible to get gentoo-keys to print it? e.g: openpgp_key=$(gentoo-keys --print-key-path) Or its fine if we think it won't move around. I guess that is mostly up to dol-sen? :) -A > + > +# apply only to ::gentoo, when synced over rsync. > +if [[ ${name} == gentoo && ${url} == rsync://* ]]; then > + if ! gemato verify -K "${openpgp_key}" -s "${path}"; then > + eerror "For troubleshooting the verification failures, > please see:" > + eerror " https://wiki.gentoo.org/wiki/ > Project:Portage/Repository_Verification" > + return 1 > + fi > +fi > -- > 2.16.0.rc2 > > >