def verify(self, recursion=False): """Verify file using gpg signature.""" global KEYID global EMAIL print("Verifying GPG signature\n") if os.path.exists(self.package_path) is False: self.print_result(False, err_msg='{} not found'.format(self.package_path)) return None if os.path.exists(self.package_sign_path) is False and self.get_sign( ) is not True: self.print_result(False, err_msg='{} not found'.format( self.package_sign_path)) return None if sign_isvalid(self.package_sign_path) is False: self.print_result(False, err_msg='{} is not a GPG signature'.format( self.package_sign_path)) try: os.unlink(self.package_sign_path) except Exception: pass return None # valid signature exists at package_sign_path, operate on it now keyid = get_keyid(self.package_sign_path) # default location first pubkey_loc = self.pubkey_path.format(keyid) if not os.path.exists(pubkey_loc): # attempt import the key interactively if set to do so self.print_result(False, 'Public key {} not found'.format(keyid)) if not self.interactive or recursion: return None if attempt_key_import(keyid, self.pubkey_path.format(keyid)): print(SEPT) return self.verify(recursion=True) return None # public key exists or is imported, verify EMAIL = parse_key(pubkey_loc, r':user ID packet: ".* <(.+?)>"\n') sign_status = verify_cli(pubkey_loc, self.package_path, self.package_sign_path) if not sign_status: if config.old_keyid: compare_keys(KEYID_TRY, config.old_keyid) self.print_result(self.package_path) KEYID = KEYID_TRY config.signature = self.key_url config.config_opts['verify_required'] = True config.rewrite_config_opts(os.path.dirname(self.package_path)) return True else: self.print_result(False, err_msg=sign_status.strerror) self.quit()
def verify(self, recursion=False): global KEYID global EMAIL print("Verifying GPG signature\n") if os.path.exists(self.package_path) is False: self.print_result(False, err_msg='{} not found'.format(self.package_path)) return None if os.path.exists(self.package_sign_path) is False and self.get_sign( ) is not True: self.print_result(False, err_msg='{} not found'.format( self.package_sign_path)) return None if sign_isvalid(self.package_sign_path) is False: self.print_result(False, err_msg='{} is not a GPG signature'.format( self.package_sign_path)) os.unlink(self.package_sign_path) return None pub_key = self.get_pubkey_path() EMAIL = parse_key(pub_key, r':user ID packet: ".* <(.+?)>"\n') if not pub_key or os.path.exists(pub_key) is False: key_id = get_keyid(self.package_sign_path) self.print_result( False, 'Public key {} not found in keyring'.format(key_id)) if self.interactive is True and recursion is False and attempt_key_import( key_id): print(SEPT) return self.verify(recursion=True) return None sign_status = verify_cli(pub_key, self.package_path, self.package_sign_path) if sign_status is None: if config.old_keyid: compare_keys(KEYID_TRY, config.old_keyid) self.print_result(self.package_path) KEYID = KEYID_TRY config.signature = self.key_url config.config_opts['verify_required'] = True config.rewrite_config_opts(os.path.dirname(self.package_path)) return True else: self.print_result(False, err_msg=sign_status.strerror) self.quit()
def guess_commit_message(keyinfo): """Parse newsfile for a commit message. Try and find a sane commit message for the newsfile. The commit message defaults to the following for an updated version if no CVEs are fixed: <tarball name>: Autospec creation for update from version <old> to version <new> If CVEs are fixed: <tarball name>: Fix for <cve> And if the version does not change: <tarball name>: Autospec creation for version <version> Additional information is appended to the commitmessage depending on NEWS and ChangeLog files and the presence of CVEs. The commitmessage is written to a file at <download path>/commitmsg. """ cvestring = "" cves = set() commitmessage = [] for cve in config.cves: cves.add(cve) cvestring += " " + cve # default commit messages before we get too smart if config.old_version is not None and config.old_version != tarball.version: commitmessage.append("{}: Autospec creation for update from version {} to version {}" .format(tarball.name, config.old_version, tarball.version)) if tarball.giturl != "": gitmsg = process_git(tarball.giturl, config.old_version, tarball.version) commitmessage.append("") commitmessage.extend(gitmsg) else: if cves: commitmessage.append("{}: Fix for {}" .format(tarball.name, cvestring.strip())) else: commitmessage.append("{}: Autospec creation for version {}" .format(tarball.name, tarball.version)) commitmessage.append("") for newsfile in ["NEWS", "ChangeLog"]: # parse news files for relevant version updates and cve fixes newcommitmessage, newcves = process_NEWS(newsfile) commitmessage.extend(newcommitmessage) cves.update(newcves) if cves: # make the package security sensitive if a CVE was patched config.config_opts['security_sensitive'] = True config.rewrite_config_opts(build.base_path) # append CVE fixes to end of commit message commitmessage.append("CVEs fixed in this build:") commitmessage.extend(sorted(list(cves))) commitmessage.append("") if keyinfo: commitmessage.append("Key imported:\n{}".format(keyinfo)) util.write_out(os.path.join(build.download_path, "commitmsg"), "\n".join(commitmessage) + "\n") print("Guessed commit message:") try: print("\n".join(commitmessage)) except Exception: print("Can't print")