texlive[54986] Master/tlpkg: fail if gpg fails or key expired
commits+karl at tug.org
commits+karl at tug.org
Sun May 3 17:10:31 CEST 2020
Revision: 54986
http://tug.org/svn/texlive?view=revision&revision=54986
Author: karl
Date: 2020-05-03 17:10:31 +0200 (Sun, 03 May 2020)
Log Message:
-----------
fail if gpg fails or key expired
Modified Paths:
--------------
trunk/Master/tlpkg/bin/tl-sign-file
trunk/Master/tlpkg/gpg/tl-key-extension.txt
Modified: trunk/Master/tlpkg/bin/tl-sign-file
===================================================================
--- trunk/Master/tlpkg/bin/tl-sign-file 2020-05-03 13:50:13 UTC (rev 54985)
+++ trunk/Master/tlpkg/bin/tl-sign-file 2020-05-03 15:10:31 UTC (rev 54986)
@@ -29,5 +29,24 @@
gpgmainopts=$TL_GNUPGMAINOPTS
fi
-# sign
-"$prg" $gpgmainopts $gpgopts "$1"
+# sign, check that result doesn't use something expired.
+# both --detach-sign and --verify exit 0 even when something is expired.
+if "$prg" $gpgmainopts $gpgopts "$1"; then
+ if "$prg" --verify "$1".asc 2>&1 | grep xpired >/dev/null; then
+ echo "$0: expired key, output from $prg --verify $1.asc:" >&2
+ "$prg" --verify "$1".asc
+ echo "$0: expired key, moving $1.asc to $1.asc.xpir." >&2
+ mv "$1".asc "$1".asc.xpir || exit 1
+ echo "$0: gpg command was:" >&2
+ echo "$0:" "$prg" $gpgmainopts $gpgopts "$1" >&2
+ echo "$0: good luck and goodbye." >&2
+ exit 1
+ fi
+else
+ echo "$0: gpg failed, exiting." >&2
+ echo "$0: gpg command was:" >&2
+ echo "$0:" "$prg" $gpgmainopts $gpgopts "$1" >&2
+ exit 1
+fi
+
+exit 0
Modified: trunk/Master/tlpkg/gpg/tl-key-extension.txt
===================================================================
--- trunk/Master/tlpkg/gpg/tl-key-extension.txt 2020-05-03 13:50:13 UTC (rev 54985)
+++ trunk/Master/tlpkg/gpg/tl-key-extension.txt 2020-05-03 15:10:31 UTC (rev 54986)
@@ -4,13 +4,12 @@
How to update TeX Live distribution signing key
===============================================
-this should be done every year during the pretest.
+This must be done every year! It's not optional.
shut down networking service
cp gpg directory from USB stick to computer
-
export GNUPGHOME=...<COPY OF USBSTICK gpg directory>
export KEYID=0xC78B82D8C79512F79CC0D7C80D5E5D9106BAB6BC
gpg --edit-key $KEYID
@@ -44,3 +43,7 @@
# texlive.asc, see above how to export it)
gpg --homedir ~texlive/.gnupg --import texlive.asc
+
+More info:
+. we use tlpkg/bin/tl-sign-file to sign texlive.tlpdb.
+. gpg --verify --verbose foo.asc for info on signature of file.
More information about the tex-live-commits
mailing list.