Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
"Darshit Shah" writes:
> I don't have push access to gnulib, so could you please push it for me?
I ended up pushing the patch below. There are several considerations
here:
* We want the OpenPGP Key identifier to be mentioned in the e-mail, it
provides a strong hash-based coupling between the (hopefully signed)
e-mail and the resulting retrieved OpenPGP key. Searching keys based
on email address, or downloading a URL, introduces trust on some
remote server to offer the correct key. While the OpenPGP key IDs is
user unfriendly, I think this should remain the preferred (and thus
first) suggestion in the list of commands to try because it offers
extra resiliance.
* I settled on suggesting the simple 'gpg --locate-external-key', which
requires a bit more modern GnuPG, see [1] for further discussion.
* A developer may want to put gpg_key_email="" or gpg_keyring_url="" in
cfg.mk to avoid adding these lines to the announcement.
* I moved the default URL from announce-gen to maint.mk, mostly to make
the code to support the previous point easier.
/Simon
[1] https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242
From 2ca890b56420158076f9027ef432311a5645fc2b Mon Sep 17 00:00:00 2001
From: Simon Josefsson
Date: Mon, 14 Mar 2022 11:14:50 +0100
Subject: [PATCH] maintainer-makefile: Improve GnuPG announce-gen options.
* top/maint.mk (gpg_key_emil): New variable.
(gpg_keyring_url): New variable.
(announcement): Pass them as --gpg-key-email and
--gpg-keyring-url.
---
ChangeLog| 6 ++
top/maint.mk | 9 +
2 files changed, 15 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index e68ce4546b..1f60d9a44c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,12 @@
(main): Don't suggest 'gpg --keyserver' since the situation with
public key servers is complicated and GnuPG version dependent.
+ maintainer-makefile: Improve GnuPG announce-gen options.
+ * top/maint.mk (gpg_key_emil): New variable.
+ (gpg_keyring_url): New variable.
+ (announcement): Pass them as --gpg-key-email and
+ --gpg-keyring-url.
+
2022-03-13 Ben Pfaff
Document Automake 1.14 requirement in NEWS, too, since it had been
diff --git a/top/maint.mk b/top/maint.mk
index 92cef425cf..b9f483bf97 100644
--- a/top/maint.mk
+++ b/top/maint.mk
@@ -1391,6 +1391,11 @@ gpg_key_ID ?=\
&& git cat-file tag v$(VERSION) \
| $(gpgv) --status-fd 1 --keyring /dev/null - - 2>/dev/null \
| $(AWK) '/^\[GNUPG:\] ERRSIG / {print $$3; exit}')
+gpg_key_email ?= \
+ $$(gpg --list-key --with-colons $(gpg_key_ID) 2>/dev/null \
+ | $(AWK) -F: '/^uid/ {print $$10; exit}' \
+ | $(SED) -n 's/.*<\(.*\)>/\1/p')
+gpg_keyring_url ?= https://savannah.gnu.org/project/release-gpgkeys.php?group=$(PACKAGE)=1
translation_project_ ?= coordina...@translationproject.org
@@ -1421,6 +1426,10 @@ announcement: NEWS ChangeLog $(rel-files)
--prev=$(PREV_VERSION) \
--curr=$(VERSION) \
--gpg-key-id=$(gpg_key_ID) \
+ $$(test -n "$(gpg_key_email)" &&\
+ echo --gpg-key-email="$(gpg_key_email)") \
+ $$(test -n "$(gpg_keyring_url)" &&\
+ echo --gpg-keyring-url="$(gpg_keyring_url)") \
--srcdir=$(srcdir) \
--news=$(srcdir)/NEWS \
--bootstrap-tools=$(bootstrap-tools) \
--
2.30.2
signature.asc
Description: PGP signature
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
On Sun, Mar 13, 2022, at 09:10, Simon Josefsson wrote: > Darshit Shah writes: > >> + --gpg-keyring-url=URLURL pointing to the GnuPG Keyring containing >> +the key used to sign the tarballs > ... >> If that command fails because you don't have the required public key, >> then run this command to import it: >> >> - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id >> + wget -q -O- '$gpg_keyring_url' | gpg --import - > > Hi. I agree this part of announce-gen is sub-optimal. There were > earlier discussions about solutions: > > https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242 > > My first reaction was that we should use something like that instead, > and not your patch. However given how unreliable the GnuPG parameters > (different version compatibility, and some reports about bugs) are wrt > to key servers, I prefer your approach to mention a URL in the > announcement instead of suggesting --recv-keys or some variant of > --locate-external-keys. This also makes it much easier for anyone not > using GnuPG to locate the OpenPGP key. > > Do you have push access to gnulib, or do you want me to polish up the > patch and push it? I don't have push access to gnulib, so could you please push it for me?
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
Darshit Shah writes: > + --gpg-keyring-url=URLURL pointing to the GnuPG Keyring containing > +the key used to sign the tarballs ... > If that command fails because you don't have the required public key, > then run this command to import it: > > - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id > + wget -q -O- '$gpg_keyring_url' | gpg --import - Hi. I agree this part of announce-gen is sub-optimal. There were earlier discussions about solutions: https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242 My first reaction was that we should use something like that instead, and not your patch. However given how unreliable the GnuPG parameters (different version compatibility, and some reports about bugs) are wrt to key servers, I prefer your approach to mention a URL in the announcement instead of suggesting --recv-keys or some variant of --locate-external-keys. This also makes it much easier for anyone not using GnuPG to locate the OpenPGP key. Do you have push access to gnulib, or do you want me to polish up the patch and push it? /Simon signature.asc Description: PGP signature
[PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
Okay, I decided to take the easy way out and wrote this patch instead. The URL
was too long and ugly in the --help output, so I'm glad to remove it from
there.
-- >8 --
* build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys was
deprecated and has been offline since the middle of 2021. The default
keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus
offline as well. Instead, use the Release Keyring on Savannah to list the
GnuPG Keys used to sign releases for that project and import the entire
keyring. A new option --gpg-keyring-url is provided for projects that don't
use Savannah or maintain their keyring elsewhere
---
ChangeLog | 11 +++
build-aux/announce-gen | 9 -
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index e3f0ed216c..c2ea26f5ca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2022-03-08 Darshit Shah
+
+ build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
+ * build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys
was
+ deprecated and has been offline since the middle of 2021. The default
+ keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus
+ offline as well. Instead, use the Release Keyring on Savannah to list
the
+ GnuPG Keys used to sign releases for that project and import the entire
+ keyring. A new option --gpg-keyring-url is provided for projects that
don't
+ use Savannah or maintain their keyring elsewhere
+
2022-03-07 Pádraig Brady
fcntl-h: add AT_NO_AUTOMOUNT
diff --git a/build-aux/announce-gen b/build-aux/announce-gen
index 5c35e3d564..ff6d226ad5 100755
--- a/build-aux/announce-gen
+++ b/build-aux/announce-gen
@@ -90,6 +90,8 @@ The following are optional:
VERSION is the result of running git describe
in the gnulib source directory.
required if gnulib is in TOOL_LIST.
+ --gpg-keyring-url=URLURL pointing to the GnuPG Keyring containing
+the key used to sign the tarballs
--no-print-checksums do not emit SHA1 or SHA256 checksums
--archive-suffix=SUF add SUF to the list of archive suffixes
--mail-headers=HEADERS a space-separated list of mail headers, e.g.,
@@ -377,6 +379,7 @@ sub get_tool_versions ($$)
my $bootstrap_tools;
my $gnulib_version;
my $print_checksums_p = 1;
+ my $gpg_keyring_url;
# Reformat the warnings before displaying them.
local $SIG{__WARN__} = sub
@@ -395,6 +398,7 @@ sub get_tool_versions ($$)
'previous-version=s' => \$prev_version,
'current-version=s' => \$curr_version,
'gpg-key-id=s' => \$gpg_key_id,
+ 'gpg-keyring-url=s' => \$gpg_keyring_url,
'url-directory=s'=> \@url_dir_list,
'news=s' => \@news_file,
'srcdir=s' => \$srcdir,
@@ -434,6 +438,9 @@ sub get_tool_versions ($$)
@url_dir_list
or (warn "URL directory name(s) not specified\n"), $fail = 1;
+ $gpg_keyring_url
+or $gpg_keyring_url =
"https://savannah.gnu.org/project/release-gpgkeys.php?group=$package_name=1;;
+
my @tool_list = split ',', $bootstrap_tools
if $bootstrap_tools;
@@ -536,7 +543,7 @@ and the corresponding tarball. Then, run a command like
this:
If that command fails because you don't have the required public key,
then run this command to import it:
- gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
+ wget -q -O- '$gpg_keyring_url' | gpg --import -
and rerun the 'gpg --verify' command.
EOF
--
2.35.1
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
Sorry,
I just realized a glaring error in this patch. The $gpg_keyring_url variable is
not used at all. Instead the Savannah URL is hardcoded in the announce email.
My Perl is not good enough to immediately know how to force a lazy evaluation
of the variable in order to get the project name at the end.
It's late at night, and I shouldn't have sent the patch when semi-asleep. I'll
fix the issue and send a new version later in the day.
On Tue, Mar 8, 2022, at 00:45, Darshit Shah wrote:
> * build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys was
> deprecated and has been offline since the middle of 2021. The default
> keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus
> offline as well. Instead, use the Release Keyring on Savannah to list the
> GnuPG Keys used to sign releases for that project and import the entire
> keyring. A new option --gpg-keyring-url is provided for projects that don't
> use Savannah or maintain their keyring elsewhere
> ---
> ChangeLog | 11 +++
> build-aux/announce-gen | 7 ++-
> 2 files changed, 17 insertions(+), 1 deletion(-)
>
> diff --git a/ChangeLog b/ChangeLog
> index e3f0ed216c..c2ea26f5ca 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,14 @@
> +2022-03-08 Darshit Shah
> +
> + build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
> + * build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys
> was
> + deprecated and has been offline since the middle of 2021. The default
> + keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus
> + offline as well. Instead, use the Release Keyring on Savannah to list
> the
> + GnuPG Keys used to sign releases for that project and import the entire
> + keyring. A new option --gpg-keyring-url is provided for projects that
> don't
> + use Savannah or maintain their keyring elsewhere
> +
> 2022-03-07 Pádraig Brady
>
> fcntl-h: add AT_NO_AUTOMOUNT
> diff --git a/build-aux/announce-gen b/build-aux/announce-gen
> index 5c35e3d564..19f0015e47 100755
> --- a/build-aux/announce-gen
> +++ b/build-aux/announce-gen
> @@ -52,6 +52,7 @@ use POSIX qw(strftime);
> my %valid_release_types = map {$_ => 1} qw (alpha beta stable);
> my @archive_suffixes = qw (tar.gz tar.bz2 tar.lz tar.lzma tar.xz);
> my $srcdir = '.';
> +my $gpg_keyring_url =
> "https://savannah.gnu.org/project/release-gpgkeys.php?group=\$project_name=1;;
>
> sub usage ($)
> {
> @@ -90,6 +91,9 @@ The following are optional:
> VERSION is the result of running git
> describe
> in the gnulib source directory.
> required if gnulib is in TOOL_LIST.
> + --gpg-keyring-url=URLURL pointing to the GnuPG Keyring
> containing
> +the key used to sign the tarballs
> +(default: $gpg_keyring_url)
> --no-print-checksums do not emit SHA1 or SHA256 checksums
> --archive-suffix=SUF add SUF to the list of archive suffixes
> --mail-headers=HEADERS a space-separated list of mail
> headers, e.g.,
> @@ -395,6 +399,7 @@ sub get_tool_versions ($$)
> 'previous-version=s' => \$prev_version,
> 'current-version=s' => \$curr_version,
> 'gpg-key-id=s' => \$gpg_key_id,
> + 'gpg-keyring-url=s' => \$gpg_keyring_url,
> 'url-directory=s'=> \@url_dir_list,
> 'news=s' => \@news_file,
> 'srcdir=s' => \$srcdir,
> @@ -536,7 +541,7 @@ and the corresponding tarball. Then, run a command
> like this:
> If that command fails because you don't have the required public key,
> then run this command to import it:
>
> - gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
> + wget -q -O-
> 'https://savannah.gnu.org/project/release-gpgkeys.php?group=$package_name=1'
>
> | gpg --import -
>
> and rerun the 'gpg --verify' command.
> EOF
> --
> 2.35.1
[PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
* build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys was
deprecated and has been offline since the middle of 2021. The default
keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus
offline as well. Instead, use the Release Keyring on Savannah to list the
GnuPG Keys used to sign releases for that project and import the entire
keyring. A new option --gpg-keyring-url is provided for projects that don't
use Savannah or maintain their keyring elsewhere
---
ChangeLog | 11 +++
build-aux/announce-gen | 7 ++-
2 files changed, 17 insertions(+), 1 deletion(-)
diff --git a/ChangeLog b/ChangeLog
index e3f0ed216c..c2ea26f5ca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2022-03-08 Darshit Shah
+
+ build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG
+ * build-aux/announce-gen: The default SKS Keyserver pool for GnuPG Keys
was
+ deprecated and has been offline since the middle of 2021. The default
+ keyserver: keys.gnupg.net was just a mirror of the SKS Pool and is thus
+ offline as well. Instead, use the Release Keyring on Savannah to list
the
+ GnuPG Keys used to sign releases for that project and import the entire
+ keyring. A new option --gpg-keyring-url is provided for projects that
don't
+ use Savannah or maintain their keyring elsewhere
+
2022-03-07 Pádraig Brady
fcntl-h: add AT_NO_AUTOMOUNT
diff --git a/build-aux/announce-gen b/build-aux/announce-gen
index 5c35e3d564..19f0015e47 100755
--- a/build-aux/announce-gen
+++ b/build-aux/announce-gen
@@ -52,6 +52,7 @@ use POSIX qw(strftime);
my %valid_release_types = map {$_ => 1} qw (alpha beta stable);
my @archive_suffixes = qw (tar.gz tar.bz2 tar.lz tar.lzma tar.xz);
my $srcdir = '.';
+my $gpg_keyring_url =
"https://savannah.gnu.org/project/release-gpgkeys.php?group=\$project_name=1;;
sub usage ($)
{
@@ -90,6 +91,9 @@ The following are optional:
VERSION is the result of running git describe
in the gnulib source directory.
required if gnulib is in TOOL_LIST.
+ --gpg-keyring-url=URLURL pointing to the GnuPG Keyring containing
+the key used to sign the tarballs
+(default: $gpg_keyring_url)
--no-print-checksums do not emit SHA1 or SHA256 checksums
--archive-suffix=SUF add SUF to the list of archive suffixes
--mail-headers=HEADERS a space-separated list of mail headers, e.g.,
@@ -395,6 +399,7 @@ sub get_tool_versions ($$)
'previous-version=s' => \$prev_version,
'current-version=s' => \$curr_version,
'gpg-key-id=s' => \$gpg_key_id,
+ 'gpg-keyring-url=s' => \$gpg_keyring_url,
'url-directory=s'=> \@url_dir_list,
'news=s' => \@news_file,
'srcdir=s' => \$srcdir,
@@ -536,7 +541,7 @@ and the corresponding tarball. Then, run a command like
this:
If that command fails because you don't have the required public key,
then run this command to import it:
- gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
+ wget -q -O-
'https://savannah.gnu.org/project/release-gpgkeys.php?group=$package_name=1'
| gpg --import -
and rerun the 'gpg --verify' command.
EOF
--
2.35.1
