def test_gpg_agent(tmpdir): fake_socket = os.path.join(str(tmpdir), 'S.gpg-agent.fake') with gpg_agent(str(tmpdir)): assert not os.path.isfile(fake_socket) with open(fake_socket, mode='w') as file: file.write('fake socket') assert os.path.isfile(fake_socket) assert not os.path.isfile(fake_socket)
def build_keyring(tempdir, keyring_file, key_data): if key_data: keyring_file_path = os.path.join(tempdir, keyring_file) with gpg_agent(str(tempdir)): gpg = gnupg.GPG(gnupghome=tempdir, keyring=keyring_file_path) gpg.encoding = 'utf-8' gpg.import_keys(key_data) return keyring_file_path else: return None
def sign_release(self): cmd = ['gpg', '--batch', '--yes', '--homedir', str(self.datadir), '--no-default-keyring', '--secret-keyring', os.path.join(str(self.datadir), 'test-secring.gpg'), '--keyring', os.path.join(str(self.datadir), 'test-pubring.gpg'), '--digest-algo', 'SHA256', '-abs', '-o', os.path.join(str(self.datadir), 'Release.gpg'), os.path.join(str(self.datadir), 'Release')] with gpg_agent(str(self.datadir)): subprocess.run(cmd, input=None, timeout=None, check=True)
def _verify_signature(self, homedir, keyring, signed_file, detached_signature=None): cmd = ['gpg'] cmd.extend(['--homedir', homedir]) cmd.extend(['--weak-digest', 'SHA1']) cmd.extend(['--weak-digest', 'RIPEMD160']) cmd.extend(['--no-default-keyring', '--keyring', keyring]) cmd.extend(['--status-fd', '1']) cmd.append('--verify') if detached_signature: cmd.append(detached_signature) cmd.append(signed_file) with gpg_agent(str(homedir)): output = subprocess.run(cmd, input=None, timeout=None, check=False, universal_newlines=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) logging.info(output.stdout) goodsig = re.search(r'^\[GNUPG:\] GOODSIG', output.stdout, re.MULTILINE) validsig = re.search(r'^\[GNUPG:\] VALIDSIG', output.stdout, re.MULTILINE) if goodsig and validsig: logging.info('Signature check ok!') else: if detached_signature: release_file_url = self._get_release_file_url('Release') else: release_file_url = self._get_release_file_url('InRelease') if output.stderr: raise FatalError( ("Signature check for '{}' failed with error message '{}'!" ).format(release_file_url, output.stderr)) else: raise FatalError("Signature check for '{}' failed!".format( release_file_url))