| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
This avoids globbing, see: https://www.shellcheck.net/wiki/SC2223
Signed-off-by: Ulrich Müller <ulm@gentoo.org>
|
|
|
|
|
| |
Closes: https://github.com/gentoo/gentoo/pull/30061
Signed-off-by: David Seifert <soap@gentoo.org>
|
|
|
|
|
|
|
|
| |
Use openpgp-verify-detached when app-portage/gemato-20.0 is installed.
This lets us test the new code paths on ~arch with minimal risk
of breakage on stable.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
This is causing verification failures when verifying old signatures
made with now-expired keys.
Reverts: 75ea89a43b8d3efb6b264296f819d04d3c18c3af
Bug: https://bugs.gentoo.org/894164
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
|
| |
Reverts: 89c2617afbfe6250ee7dfd4ee4641c8f74c54004
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
If a distfile has multiple detached signatures, pass verification
if at least one of them can be verified rather than requiring all
of them. This is particularly helpful for upstreams where the whole
set of release keys is hard to come by.
Closes: https://bugs.gentoo.org/873211
Closes: https://github.com/gentoo/gentoo/pull/29224
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
|
|
|
|
| |
Force using TMPDIR=/tmp to workaround GPG failing when TMPDIR happens
to be long enough to cause UNIX socket paths to exceed the system limit.
Closes: https://bugs.gentoo.org/854492
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
|
| |
Bug: https://bugs.gentoo.org/835396
Signed-off-by: Ulrich Müller <ulm@gentoo.org>
|
|
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
Split the logic for verifying checksums into a dedicated functions
that can also be used directly when dealing with a checksum file
that uses a detached signature.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
|
|
|
|
|
|
|
|
| |
It is useful for verifying distfiles that come from OpenBSD folks, since
signify produces signatures incompatible with GnuPG.
Signed-off-by: Anna Vyalkova <cyber+gentoo@sysrq.in>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
|
|
|
|
| |
Add a function to verify files containing PGP signed messages (i.e. not
using detached signatures). This will be used for projects that publish
signed checksum lists.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
|
|
| |
Signed-off-by: Joonas Niilola <juippis@gentoo.org>
|
|
|
|
| |
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|
|
verify-sig eclass provides a streamlined approach to verifying upstream
signatures on distfiles. Its primary purpose is to permit developers
to easily verify signatures while bumping packages. The eclass removes
the risk of developer forgetting to perform the verification,
or performing it incorrectly, e.g. due to additional keys in the local
keyring. It also permits users to verify the developer's work.
Signed-off-by: Michał Górny <mgorny@gentoo.org>
|