texlive[54986] Master/tlpkg: fail if gpg fails or key expired

commits+karl at tug.org commits+karl at tug.org
Sun May 3 17:10:31 CEST 2020 

Revision: 54986
          http://tug.org/svn/texlive?view=revision&revision=54986
Author:   karl
Date:     2020-05-03 17:10:31 +0200 (Sun, 03 May 2020)
Log Message:
-----------
fail if gpg fails or key expired

Modified Paths:
--------------
    trunk/Master/tlpkg/bin/tl-sign-file
    trunk/Master/tlpkg/gpg/tl-key-extension.txt

Modified: trunk/Master/tlpkg/bin/tl-sign-file
===================================================================
--- trunk/Master/tlpkg/bin/tl-sign-file	2020-05-03 13:50:13 UTC (rev 54985)
+++ trunk/Master/tlpkg/bin/tl-sign-file	2020-05-03 15:10:31 UTC (rev 54986)
@@ -29,5 +29,24 @@
   gpgmainopts=$TL_GNUPGMAINOPTS
 fi
 
-# sign
-"$prg" $gpgmainopts $gpgopts "$1"
+# sign, check that result doesn't use something expired.
+# both --detach-sign and --verify exit 0 even when something is expired.
+if "$prg" $gpgmainopts $gpgopts "$1"; then
+  if "$prg" --verify "$1".asc 2>&1 | grep xpired >/dev/null; then
+    echo "$0: expired key, output from $prg --verify $1.asc:" >&2
+    "$prg" --verify "$1".asc
+    echo "$0: expired key, moving $1.asc to $1.asc.xpir." >&2
+    mv "$1".asc "$1".asc.xpir || exit 1
+    echo "$0: gpg command was:" >&2
+    echo "$0:" "$prg" $gpgmainopts $gpgopts "$1" >&2
+    echo "$0: good luck and goodbye." >&2
+    exit 1
+  fi
+else
+  echo "$0: gpg failed, exiting." >&2
+  echo "$0: gpg command was:" >&2
+  echo "$0:" "$prg" $gpgmainopts $gpgopts "$1" >&2
+  exit 1
+fi
+
+exit 0

Modified: trunk/Master/tlpkg/gpg/tl-key-extension.txt
===================================================================
--- trunk/Master/tlpkg/gpg/tl-key-extension.txt	2020-05-03 13:50:13 UTC (rev 54985)
+++ trunk/Master/tlpkg/gpg/tl-key-extension.txt	2020-05-03 15:10:31 UTC (rev 54986)
@@ -4,13 +4,12 @@
 How to update TeX Live distribution signing key
 ===============================================
 
-this should be done every year during the pretest.
+This must be done every year! It's not optional.
 
 shut down networking service
 
 cp gpg directory from USB stick to computer
 
-
 export GNUPGHOME=...<COPY OF USBSTICK gpg directory>
 export KEYID=0xC78B82D8C79512F79CC0D7C80D5E5D9106BAB6BC
 gpg --edit-key $KEYID
@@ -44,3 +43,7 @@
 # texlive.asc, see above how to export it)
 gpg --homedir ~texlive/.gnupg --import texlive.asc
 
+
+More info: 
+. we use tlpkg/bin/tl-sign-file to sign texlive.tlpdb.
+. gpg --verify --verbose foo.asc for info on signature of file.

More information about the tex-live-commits mailing list.