diff options
| author |   Robin H. Johnson <robbat2@gentoo.org> | 2023-11-28 14:21:46 -0800 |
|---|---|---|
| committer | Robin H. Johnson <robbat2@gentoo.org> | 2023-11-28 14:22:13 -0800 |
| commit | 1fce5bde33244b28e6a601da6396774e7ee870e2 (patch) | |
| tree | de4b7d9b5f4b53e8d0d82c4bd546a575f73e14a0 | |
| parent | local/update-03-filename: add .editorconfig (diff) | |
| download | githooks-1fce5bde33244b28e6a601da6396774e7ee870e2.tar.gz githooks-1fce5bde33244b28e6a601da6396774e7ee870e2.tar.bz2 githooks-1fce5bde33244b28e6a601da6396774e7ee870e2.zip | |
update-02-gpg: improve trust chain check, but also workaround behavior buggithooks-20231128T222213Z
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
| -rwxr-xr-x | local/update-02-gpg | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/local/update-02-gpg b/local/update-02-gpg index e61c7aa..79fbff4 100755 --- a/local/update-02-gpg +++ b/local/update-02-gpg @@ -60,10 +60,25 @@ case ${VERIFY_SIGS} in # create a dedicated GNUPGHOME TMPHOME=$(mktemp -d) trap 'rm -rf "${TMPHOME}"' EXIT - # transfer the keys + # transfer the keys: + # - ONLY for the developer in question + # - and chain to L1 + CHAIN=( + ABD00913019D6354BA1D9A132839FE0D796198B1 # openpgp-auth+l1@gentoo.org + 2C13823B8237310FA213034930D132FF0FF50EEB # openpgp-auth+l2-dev@gentoo.org + 18F703D702B1B9591373148C55D3238EC050396E # openpgp-auth+l2-srv@gentoo.org + ) gpg -q --export "${GOOD_KEYS[@]}" | GNUPGHOME=${TMPHOME} gpg -q --import # use new GNUGPHOME to restrict to dev's keys export GNUPGHOME=${TMPHOME} + cat >>$GNUPGHOME/gpg.conf <<-EOF + # Workaround for chain trust issue + trust-model always + EOF + for _k in "${CHAIN[@]}" ; do + echo "trusted-key $_k" >> $GNUPGHOME/gpg.conf + done + #GNUPGHOME=${TMPHOME} gpg --check-trustdb ;; no) ;; |