def verify(self, recursion=False):
"""Verify file using gpg signature."""
global KEYID
global EMAIL
print("Verifying GPG signature\n")
if os.path.exists(self.package_path) is False:
self.print_result(False,
err_msg='{} not found'.format(self.package_path))
return None
if os.path.exists(self.package_sign_path) is False and self.get_sign(
) is not True:
self.print_result(False,
err_msg='{} not found'.format(
self.package_sign_path))
return None
if sign_isvalid(self.package_sign_path) is False:
self.print_result(False,
err_msg='{} is not a GPG signature'.format(
self.package_sign_path))
try:
os.unlink(self.package_sign_path)
except Exception:
pass
return None
# valid signature exists at package_sign_path, operate on it now
keyid = get_keyid(self.package_sign_path)
# default location first
pubkey_loc = self.pubkey_path.format(keyid)
if not os.path.exists(pubkey_loc):
# attempt import the key interactively if set to do so
self.print_result(False, 'Public key {} not found'.format(keyid))
if not self.interactive or recursion:
return None
if attempt_key_import(keyid, self.pubkey_path.format(keyid)):
print(SEPT)
return self.verify(recursion=True)
return None
# public key exists or is imported, verify
EMAIL = parse_key(pubkey_loc, r':user ID packet: ".* <(.+?)>"\n')
sign_status = verify_cli(pubkey_loc, self.package_path,
self.package_sign_path)
if not sign_status:
if config.old_keyid:
compare_keys(KEYID_TRY, config.old_keyid)
self.print_result(self.package_path)
KEYID = KEYID_TRY
config.signature = self.key_url
config.config_opts['verify_required'] = True
config.rewrite_config_opts(os.path.dirname(self.package_path))
return True
else:
self.print_result(False, err_msg=sign_status.strerror)
self.quit()
def verify(self, recursion=False):
global KEYID
global EMAIL
print("Verifying GPG signature\n")
if os.path.exists(self.package_path) is False:
self.print_result(False,
err_msg='{} not found'.format(self.package_path))
return None
if os.path.exists(self.package_sign_path) is False and self.get_sign(
) is not True:
self.print_result(False,
err_msg='{} not found'.format(
self.package_sign_path))
return None
if sign_isvalid(self.package_sign_path) is False:
self.print_result(False,
err_msg='{} is not a GPG signature'.format(
self.package_sign_path))
os.unlink(self.package_sign_path)
return None
pub_key = self.get_pubkey_path()
EMAIL = parse_key(pub_key, r':user ID packet: ".* <(.+?)>"\n')
if not pub_key or os.path.exists(pub_key) is False:
key_id = get_keyid(self.package_sign_path)
self.print_result(
False, 'Public key {} not found in keyring'.format(key_id))
if self.interactive is True and recursion is False and attempt_key_import(
key_id):
print(SEPT)
return self.verify(recursion=True)
return None
sign_status = verify_cli(pub_key, self.package_path,
self.package_sign_path)
if sign_status is None:
if config.old_keyid:
compare_keys(KEYID_TRY, config.old_keyid)
self.print_result(self.package_path)
KEYID = KEYID_TRY
config.signature = self.key_url
config.config_opts['verify_required'] = True
config.rewrite_config_opts(os.path.dirname(self.package_path))
return True
else:
self.print_result(False, err_msg=sign_status.strerror)
self.quit()
def guess_commit_message(keyinfo):
"""Parse newsfile for a commit message.
Try and find a sane commit message for the newsfile. The commit message defaults to the
following for an updated version if no CVEs are fixed:
<tarball name>: Autospec creation for update from version <old> to version <new>
If CVEs are fixed:
<tarball name>: Fix for <cve>
And if the version does not change:
<tarball name>: Autospec creation for version <version>
Additional information is appended to the commitmessage depending on NEWS
and ChangeLog files and the presence of CVEs. The commitmessage is written
to a file at <download path>/commitmsg.
"""
cvestring = ""
cves = set()
commitmessage = []
for cve in config.cves:
cves.add(cve)
cvestring += " " + cve
# default commit messages before we get too smart
if config.old_version is not None and config.old_version != tarball.version:
commitmessage.append("{}: Autospec creation for update from version {} to version {}"
.format(tarball.name, config.old_version, tarball.version))
if tarball.giturl != "":
gitmsg = process_git(tarball.giturl, config.old_version, tarball.version)
commitmessage.append("")
commitmessage.extend(gitmsg)
else:
if cves:
commitmessage.append("{}: Fix for {}"
.format(tarball.name, cvestring.strip()))
else:
commitmessage.append("{}: Autospec creation for version {}"
.format(tarball.name, tarball.version))
commitmessage.append("")
for newsfile in ["NEWS", "ChangeLog"]:
# parse news files for relevant version updates and cve fixes
newcommitmessage, newcves = process_NEWS(newsfile)
commitmessage.extend(newcommitmessage)
cves.update(newcves)
if cves:
# make the package security sensitive if a CVE was patched
config.config_opts['security_sensitive'] = True
config.rewrite_config_opts(build.base_path)
# append CVE fixes to end of commit message
commitmessage.append("CVEs fixed in this build:")
commitmessage.extend(sorted(list(cves)))
commitmessage.append("")
if keyinfo:
commitmessage.append("Key imported:\n{}".format(keyinfo))
util.write_out(os.path.join(build.download_path, "commitmsg"),
"\n".join(commitmessage) + "\n")
print("Guessed commit message:")
try:
print("\n".join(commitmessage))
except Exception:
print("Can't print")
