Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
"Darshit Shah" writes: > I don't have push access to gnulib, so could you please push it for me? I ended up pushing the patch below. There are several considerations here: * We want the OpenPGP Key identifier to be mentioned in the e-mail, it provides a strong hash-based coupling between the (hopefully signed) e-mail and the resulting retrieved OpenPGP key. Searching keys based on email address, or downloading a URL, introduces trust on some remote server to offer the correct key. While the OpenPGP key IDs is user unfriendly, I think this should remain the preferred (and thus first) suggestion in the list of commands to try because it offers extra resiliance. * I settled on suggesting the simple 'gpg --locate-external-key', which requires a bit more modern GnuPG, see [1] for further discussion. * A developer may want to put gpg_key_email="" or gpg_keyring_url="" in cfg.mk to avoid adding these lines to the announcement. * I moved the default URL from announce-gen to maint.mk, mostly to make the code to support the previous point easier. /Simon [1] https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242 From 2ca890b56420158076f9027ef432311a5645fc2b Mon Sep 17 00:00:00 2001 From: Simon Josefsson Date: Mon, 14 Mar 2022 11:14:50 +0100 Subject: [PATCH] maintainer-makefile: Improve GnuPG announce-gen options. * top/maint.mk (gpg_key_emil): New variable. (gpg_keyring_url): New variable. (announcement): Pass them as --gpg-key-email and --gpg-keyring-url. --- ChangeLog| 6 ++ top/maint.mk | 9 + 2 files changed, 15 insertions(+) diff --git a/ChangeLog b/ChangeLog index e68ce4546b..1f60d9a44c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,12 @@ (main): Don't suggest 'gpg --keyserver' since the situation with public key servers is complicated and GnuPG version dependent. + maintainer-makefile: Improve GnuPG announce-gen options. + * top/maint.mk (gpg_key_emil): New variable. + (gpg_keyring_url): New variable. + (announcement): Pass them as --gpg-key-email and + --gpg-keyring-url. + 2022-03-13 Ben Pfaff Document Automake 1.14 requirement in NEWS, too, since it had been diff --git a/top/maint.mk b/top/maint.mk index 92cef425cf..b9f483bf97 100644 --- a/top/maint.mk +++ b/top/maint.mk @@ -1391,6 +1391,11 @@ gpg_key_ID ?=\ && git cat-file tag v$(VERSION) \ | $(gpgv) --status-fd 1 --keyring /dev/null - - 2>/dev/null \ | $(AWK) '/^\[GNUPG:\] ERRSIG / {print $$3; exit}') +gpg_key_email ?= \ + $$(gpg --list-key --with-colons $(gpg_key_ID) 2>/dev/null \ + | $(AWK) -F: '/^uid/ {print $$10; exit}' \ + | $(SED) -n 's/.*<\(.*\)>/\1/p') +gpg_keyring_url ?= https://savannah.gnu.org/project/release-gpgkeys.php?group=$(PACKAGE)=1 translation_project_ ?= coordina...@translationproject.org @@ -1421,6 +1426,10 @@ announcement: NEWS ChangeLog $(rel-files) --prev=$(PREV_VERSION) \ --curr=$(VERSION) \ --gpg-key-id=$(gpg_key_ID) \ + $$(test -n "$(gpg_key_email)" &&\ + echo --gpg-key-email="$(gpg_key_email)") \ + $$(test -n "$(gpg_keyring_url)" &&\ + echo --gpg-keyring-url="$(gpg_keyring_url)") \ --srcdir=$(srcdir) \ --news=$(srcdir)/NEWS \ --bootstrap-tools=$(bootstrap-tools) \ -- 2.30.2 signature.asc Description: PGP signature
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
On Sun, Mar 13, 2022, at 09:10, Simon Josefsson wrote: > Darshit Shah writes: > >> + --gpg-keyring-url=URLURL pointing to the GnuPG Keyring containing >> +the key used to sign the tarballs > ... >> If that command fails because you don't have the required public key, >> then run this command to import it: >> >> - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id >> + wget -q -O- '$gpg_keyring_url' | gpg --import - > > Hi. I agree this part of announce-gen is sub-optimal. There were > earlier discussions about solutions: > > https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242 > > My first reaction was that we should use something like that instead, > and not your patch. However given how unreliable the GnuPG parameters > (different version compatibility, and some reports about bugs) are wrt > to key servers, I prefer your approach to mention a URL in the > announcement instead of suggesting --recv-keys or some variant of > --locate-external-keys. This also makes it much easier for anyone not > using GnuPG to locate the OpenPGP key. > > Do you have push access to gnulib, or do you want me to polish up the > patch and push it? I don't have push access to gnulib, so could you please push it for me?
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
Darshit Shah writes: > + --gpg-keyring-url=URLURL pointing to the GnuPG Keyring containing > +the key used to sign the tarballs ... > If that command fails because you don't have the required public key, > then run this command to import it: > > - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id > + wget -q -O- '$gpg_keyring_url' | gpg --import - Hi. I agree this part of announce-gen is sub-optimal. There were earlier discussions about solutions: https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242 My first reaction was that we should use something like that instead, and not your patch. However given how unreliable the GnuPG parameters (different version compatibility, and some reports about bugs) are wrt to key servers, I prefer your approach to mention a URL in the announcement instead of suggesting --recv-keys or some variant of --locate-external-keys. This also makes it much easier for anyone not using GnuPG to locate the OpenPGP key. Do you have push access to gnulib, or do you want me to polish up the patch and push it? /Simon signature.asc Description: PGP signature
[PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
Okay, I decided to take the easy way out and wrote this patch instead. The URL was too long and ugly in the --help output, so I'm glad to remove it from there. -- >8 -- * build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys was deprecated and has been offline since the middle of 2021. The default keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus offline as well. Instead, use the Release Keyring on Savannah to list the GnuPG Keys used to sign releases for that project and import the entire keyring. A new option --gpg-keyring-url is provided for projects that don't use Savannah or maintain their keyring elsewhere --- ChangeLog | 11 +++ build-aux/announce-gen | 9 - 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e3f0ed216c..c2ea26f5ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2022-03-08 Darshit Shah + + build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG + * build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys was + deprecated and has been offline since the middle of 2021. The default + keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus + offline as well. Instead, use the Release Keyring on Savannah to list the + GnuPG Keys used to sign releases for that project and import the entire + keyring. A new option --gpg-keyring-url is provided for projects that don't + use Savannah or maintain their keyring elsewhere + 2022-03-07 Pádraig Brady fcntl-h: add AT_NO_AUTOMOUNT diff --git a/build-aux/announce-gen b/build-aux/announce-gen index 5c35e3d564..ff6d226ad5 100755 --- a/build-aux/announce-gen +++ b/build-aux/announce-gen @@ -90,6 +90,8 @@ The following are optional: VERSION is the result of running git describe in the gnulib source directory. required if gnulib is in TOOL_LIST. + --gpg-keyring-url=URLURL pointing to the GnuPG Keyring containing +the key used to sign the tarballs --no-print-checksums do not emit SHA1 or SHA256 checksums --archive-suffix=SUF add SUF to the list of archive suffixes --mail-headers=HEADERS a space-separated list of mail headers, e.g., @@ -377,6 +379,7 @@ sub get_tool_versions ($$) my $bootstrap_tools; my $gnulib_version; my $print_checksums_p = 1; + my $gpg_keyring_url; # Reformat the warnings before displaying them. local $SIG{__WARN__} = sub @@ -395,6 +398,7 @@ sub get_tool_versions ($$) 'previous-version=s' => \$prev_version, 'current-version=s' => \$curr_version, 'gpg-key-id=s' => \$gpg_key_id, + 'gpg-keyring-url=s' => \$gpg_keyring_url, 'url-directory=s'=> \@url_dir_list, 'news=s' => \@news_file, 'srcdir=s' => \$srcdir, @@ -434,6 +438,9 @@ sub get_tool_versions ($$) @url_dir_list or (warn "URL directory name(s) not specified\n"), $fail = 1; + $gpg_keyring_url +or $gpg_keyring_url = "https://savannah.gnu.org/project/release-gpgkeys.php?group=$package_name=1;; + my @tool_list = split ',', $bootstrap_tools if $bootstrap_tools; @@ -536,7 +543,7 @@ and the corresponding tarball. Then, run a command like this: If that command fails because you don't have the required public key, then run this command to import it: - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id + wget -q -O- '$gpg_keyring_url' | gpg --import - and rerun the 'gpg --verify' command. EOF -- 2.35.1
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
Sorry, I just realized a glaring error in this patch. The $gpg_keyring_url variable is not used at all. Instead the Savannah URL is hardcoded in the announce email. My Perl is not good enough to immediately know how to force a lazy evaluation of the variable in order to get the project name at the end. It's late at night, and I shouldn't have sent the patch when semi-asleep. I'll fix the issue and send a new version later in the day. On Tue, Mar 8, 2022, at 00:45, Darshit Shah wrote: > * build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys was > deprecated and has been offline since the middle of 2021. The default > keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus > offline as well. Instead, use the Release Keyring on Savannah to list the > GnuPG Keys used to sign releases for that project and import the entire > keyring. A new option --gpg-keyring-url is provided for projects that don't > use Savannah or maintain their keyring elsewhere > --- > ChangeLog | 11 +++ > build-aux/announce-gen | 7 ++- > 2 files changed, 17 insertions(+), 1 deletion(-) > > diff --git a/ChangeLog b/ChangeLog > index e3f0ed216c..c2ea26f5ca 100644 > --- a/ChangeLog > +++ b/ChangeLog > @@ -1,3 +1,14 @@ > +2022-03-08 Darshit Shah > + > + build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG > + * build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys > was > + deprecated and has been offline since the middle of 2021. The default > + keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus > + offline as well. Instead, use the Release Keyring on Savannah to list > the > + GnuPG Keys used to sign releases for that project and import the entire > + keyring. A new option --gpg-keyring-url is provided for projects that > don't > + use Savannah or maintain their keyring elsewhere > + > 2022-03-07 Pádraig Brady > > fcntl-h: add AT_NO_AUTOMOUNT > diff --git a/build-aux/announce-gen b/build-aux/announce-gen > index 5c35e3d564..19f0015e47 100755 > --- a/build-aux/announce-gen > +++ b/build-aux/announce-gen > @@ -52,6 +52,7 @@ use POSIX qw(strftime); > my %valid_release_types = map {$_ => 1} qw (alpha beta stable); > my @archive_suffixes = qw (tar.gz tar.bz2 tar.lz tar.lzma tar.xz); > my $srcdir = '.'; > +my $gpg_keyring_url = > "https://savannah.gnu.org/project/release-gpgkeys.php?group=\$project_name=1;; > > sub usage ($) > { > @@ -90,6 +91,9 @@ The following are optional: > VERSION is the result of running git > describe > in the gnulib source directory. > required if gnulib is in TOOL_LIST. > + --gpg-keyring-url=URLURL pointing to the GnuPG Keyring > containing > +the key used to sign the tarballs > +(default: $gpg_keyring_url) > --no-print-checksums do not emit SHA1 or SHA256 checksums > --archive-suffix=SUF add SUF to the list of archive suffixes > --mail-headers=HEADERS a space-separated list of mail > headers, e.g., > @@ -395,6 +399,7 @@ sub get_tool_versions ($$) > 'previous-version=s' => \$prev_version, > 'current-version=s' => \$curr_version, > 'gpg-key-id=s' => \$gpg_key_id, > + 'gpg-keyring-url=s' => \$gpg_keyring_url, > 'url-directory=s'=> \@url_dir_list, > 'news=s' => \@news_file, > 'srcdir=s' => \$srcdir, > @@ -536,7 +541,7 @@ and the corresponding tarball. Then, run a command > like this: > If that command fails because you don't have the required public key, > then run this command to import it: > > - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id > + wget -q -O- > 'https://savannah.gnu.org/project/release-gpgkeys.php?group=$package_name=1' > > | gpg --import - > > and rerun the 'gpg --verify' command. > EOF > -- > 2.35.1
[PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
* build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys was deprecated and has been offline since the middle of 2021. The default keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus offline as well. Instead, use the Release Keyring on Savannah to list the GnuPG Keys used to sign releases for that project and import the entire keyring. A new option --gpg-keyring-url is provided for projects that don't use Savannah or maintain their keyring elsewhere --- ChangeLog | 11 +++ build-aux/announce-gen | 7 ++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index e3f0ed216c..c2ea26f5ca 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2022-03-08 Darshit Shah + + build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG + * build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys was + deprecated and has been offline since the middle of 2021. The default + keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus + offline as well. Instead, use the Release Keyring on Savannah to list the + GnuPG Keys used to sign releases for that project and import the entire + keyring. A new option --gpg-keyring-url is provided for projects that don't + use Savannah or maintain their keyring elsewhere + 2022-03-07 Pádraig Brady fcntl-h: add AT_NO_AUTOMOUNT diff --git a/build-aux/announce-gen b/build-aux/announce-gen index 5c35e3d564..19f0015e47 100755 --- a/build-aux/announce-gen +++ b/build-aux/announce-gen @@ -52,6 +52,7 @@ use POSIX qw(strftime); my %valid_release_types = map {$_ => 1} qw (alpha beta stable); my @archive_suffixes = qw (tar.gz tar.bz2 tar.lz tar.lzma tar.xz); my $srcdir = '.'; +my $gpg_keyring_url = "https://savannah.gnu.org/project/release-gpgkeys.php?group=\$project_name=1;; sub usage ($) { @@ -90,6 +91,9 @@ The following are optional: VERSION is the result of running git describe in the gnulib source directory. required if gnulib is in TOOL_LIST. + --gpg-keyring-url=URLURL pointing to the GnuPG Keyring containing +the key used to sign the tarballs +(default: $gpg_keyring_url) --no-print-checksums do not emit SHA1 or SHA256 checksums --archive-suffix=SUF add SUF to the list of archive suffixes --mail-headers=HEADERS a space-separated list of mail headers, e.g., @@ -395,6 +399,7 @@ sub get_tool_versions ($$) 'previous-version=s' => \$prev_version, 'current-version=s' => \$curr_version, 'gpg-key-id=s' => \$gpg_key_id, + 'gpg-keyring-url=s' => \$gpg_keyring_url, 'url-directory=s'=> \@url_dir_list, 'news=s' => \@news_file, 'srcdir=s' => \$srcdir, @@ -536,7 +541,7 @@ and the corresponding tarball. Then, run a command like this: If that command fails because you don't have the required public key, then run this command to import it: - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id + wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=$package_name=1' | gpg --import - and rerun the 'gpg --verify' command. EOF -- 2.35.1