|
7 | 7 | # mainstream/master |
8 | 8 | # Default ref: HEAD |
9 | 9 | set -euo pipefail |
| 10 | +shopt -s extglob |
10 | 11 | : "${KEYRING_DIR_GIT=}" "${NO_CHECK=}" "${DEBUG=}" "${VERBOSE=0}" |
11 | 12 | unset GNUPGHOME tags tag hash_len format expected_hash BUILDER_DIR |
12 | 13 |
|
@@ -37,33 +38,52 @@ case ${CHECK=signed-tag} in |
37 | 38 | ;; |
38 | 39 | esac |
39 | 40 |
|
| 41 | +case ${SHA1_IS_WEAK=1} in |
| 42 | +(0|false) SHA1_IS_WEAK=;; |
| 43 | +(1|true) SHA1_IS_WEAK='weak-digest sha1\nweak-digest sha224\n';; |
| 44 | +(*) printf 'Invalid value for $SHA1_IS_WEAK: %q\n' "$SHA1_IS_WEAK">&2; exit 1;; |
| 45 | +esac |
| 46 | + |
| 47 | +case ${FORCE_KEYRING_REGEN=false} in |
| 48 | +(false|true) :;; |
| 49 | +(*) printf 'Invalid value for $FORCE_KEYRING_REGEN: %q\n' "$FORCE_KEYRING_REGEN">&2; exit 1;; |
| 50 | +esac |
| 51 | + |
40 | 52 | if [ -n "$KEYRING_DIR_GIT" ]; then |
41 | 53 | GNUPGHOME="$(readlink -m "$KEYRING_DIR_GIT")" |
42 | 54 | export GNUPGHOME |
43 | 55 | if [ ! -d "$GNUPGHOME" ]; then |
44 | | - mkdir -p "$GNUPGHOME" |
45 | | - chmod 700 "$GNUPGHOME" |
46 | | - gpg --import qubes-developers-keys.asc |
47 | | - # Trust Qubes Master Signing Key |
48 | | - echo '427F11FD0FAA4B080123F01CDDFA1A3E36879494:6:' | gpg --import-ownertrust |
49 | | - fi |
50 | | - if [ qubes-developers-keys.asc -nt "$GNUPGHOME/pubring.gpg" ]; then |
51 | | - gpg --import qubes-developers-keys.asc |
52 | | - touch "$GNUPGHOME/pubring.gpg" |
| 56 | + mkdir -p -m 0700 -- "$GNUPGHOME" |
53 | 57 | fi |
54 | | - maintainers=$(env | grep -oP '^ALLOWED_COMPONENTS_[a-fA-F0-9]{40}') || : |
55 | | - for maintainer in $maintainers |
56 | | - do |
57 | | - read -a allowed_components <<<"${!maintainer}" |
58 | | - COMPONENT="$(basename "$1")" |
59 | | - COMPONENT="${COMPONENT//./builder}" |
60 | | - if elementIn "$COMPONENT" "${allowed_components[@]}"; then |
61 | | - keyid=${maintainer#ALLOWED_COMPONENTS_} |
62 | | - gpg --import "$BUILDER_DIR/keys/$keyid.asc" || exit 1 |
63 | | - echo "$keyid:6:" | gpg --import-ownertrust |
| 58 | + if :; then |
| 59 | + flock 9 |
| 60 | + if [ "$FORCE_KEYRING_REGEN" = true ]; then rm -rf -- "$GNUPGHOME"/!(.|..|setup.lock); fi |
| 61 | + if [[ ! -f "$GNUPGHOME/import.done" ]] || |
| 62 | + [[ qubes-developers-keys.asc -nt "$GNUPGHOME/pubring.gpg" ]]; then |
| 63 | + gpg --import qubes-developers-keys.asc |
| 64 | + # Trust Qubes Master Signing Key |
| 65 | + echo '427F11FD0FAA4B080123F01CDDFA1A3E36879494:6:' | gpg --import-ownertrust |
| 66 | + printf "weak-digest md5\nweak-digest ripemd160\n$SHA1_IS_WEAK" > "$GNUPGHOME/gpg.conf" |
| 67 | + if [ qubes-developers-keys.asc -nt "$GNUPGHOME/pubring.gpg" ]; then |
| 68 | + gpg --import qubes-developers-keys.asc |
| 69 | + touch "$GNUPGHOME/pubring.gpg" |
| 70 | + fi |
| 71 | + maintainers=$(env | grep -oP '^ALLOWED_COMPONENTS_[a-fA-F0-9]{40}') || : |
| 72 | + for maintainer in $maintainers |
| 73 | + do |
| 74 | + read -a allowed_components <<<"${!maintainer}" |
| 75 | + COMPONENT="$(basename "$1")" |
| 76 | + COMPONENT="${COMPONENT//./builder}" |
| 77 | + if elementIn "$COMPONENT" "${allowed_components[@]}"; then |
| 78 | + keyid=${maintainer#ALLOWED_COMPONENTS_} |
| 79 | + gpg --import "$BUILDER_DIR/keys/$keyid.asc" || exit 1 |
| 80 | + echo "$keyid:6:" | gpg --import-ownertrust |
| 81 | + fi |
| 82 | + done |
| 83 | + gpgconf --kill gpg-agent |
| 84 | + touch -- "$GNUPGHOME/import.done" |
64 | 85 | fi |
65 | | - done |
66 | | - gpgconf --kill gpg-agent |
| 86 | + fi 9> "$GNUPGHOME/setup.lock" |
67 | 87 | fi |
68 | 88 |
|
69 | 89 | pushd "$1" > /dev/null || exit 2 |
|
0 commit comments