texlive[55147] Master/tlpkg: verify signed file as with

commits+karl at tug.org commits+karl at tug.org
Fri May 15 16:58:17 CEST 2020 

Revision: 55147
          http://tug.org/svn/texlive?view=revision&revision=55147
Author:   karl
Date:     2020-05-15 16:58:16 +0200 (Fri, 15 May 2020)
Log Message:
-----------
verify signed file as with TLCrypto::gpg_verify_signature

Modified Paths:
--------------
    trunk/Master/tlpkg/bin/tl-sign-file
    trunk/Master/tlpkg/gpg/tl-key-extension.txt

Modified: trunk/Master/tlpkg/bin/tl-sign-file
===================================================================
--- trunk/Master/tlpkg/bin/tl-sign-file	2020-05-14 23:53:15 UTC (rev 55146)
+++ trunk/Master/tlpkg/bin/tl-sign-file	2020-05-15 14:58:16 UTC (rev 55147)
@@ -1,8 +1,8 @@
 #!/bin/sh
 # $Id$
-# Public domain.  Originally written 2016, Norbert Preining.
-# Sign a file for release in TeX Live. Used in tl-update-images, etc.
-# See tlpkg/gpg/tl-key-extension.txt for some info.
+# Public domain. Originally written 2016, Norbert Preining.
+# Sign a file for release in TeX Live. Used in tl-update-images,
+# tl-update-tlnet, et al. See tlpkg/gpg/tl-key-extension.txt for some info.
 
 if test $# -ne 1; then
   echo "$0: Exactly one argument must be given, the file to sign." >&2
@@ -9,43 +9,77 @@
   exit 1
 fi
 
-# remove previous signature
+# remove previous signature else gpg will bail out.
 rm -f "$1.asc"
 
-prg=gpg
-gpgopts="--batch --homedir /home/texlive/.gnupg  \
+gpg_prog=gpg
+gpg_opts="--batch --homedir /home/texlive/.gnupg  \
   --passphrase-file /home/texlive/.gnupg/passphrase \
   --local-user 0x06BAB6BC "
-gpgmainopts="--armor --detach-sign"
+gpg_sign_opts="--armor --detach-sign"
 
-# use the environment variables if available
-if test -n "$TL_GNUPG" ; then
-  prg=$TL_GNUPG
+# use the environment variables if set. This is for testing;
+# we don't define them in normal usage.
+if test -n "$TL_GNUPG"; then
+  gpg_prog=$TL_GNUPG
 fi
-if test -n "$TL_GNUPGOPTS" ; then
-  gpgopts=$TL_GNUPGOPTS
+if test -n "$TL_GNUPGOPTS"; then
+  gpg_opts=$TL_GNUPGOPTS
 fi
-if test -n "$TL_GNUPGMAINOPTS" ; then
-  gpgmainopts=$TL_GNUPGMAINOPTS
+if test -n "$TL_GNUPG_SIGN_OPTS"; then
+  gpg_sign_opts=$TL_GNUPG_SIGN_OPTS
 fi
 
-# sign, check that result doesn't use something expired.
+# sign, check that result is valid and doesn't use something expired.
 # both --detach-sign and --verify exit 0 even when something is expired.
-if "$prg" $gpgmainopts $gpgopts "$1"; then
-  if "$prg" --verify "$1".asc 2>&1 | grep xpired >/dev/null; then
-    echo "$0: expired key, output from $prg --verify $1.asc:" >&2
-    "$prg" --verify "$1".asc
-    echo "$0: expired key, moving $1.asc to $1.asc.xpir." >&2
-    mv "$1".asc "$1".asc.xpir || exit 1
-    echo "$0: gpg command was:" >&2
-    echo "$0:" "$prg" $gpgmainopts $gpgopts "$1" >&2
-    echo "$0: good luck and goodbye." >&2
+if $gpg_prog $gpg_sign_opts $gpg_opts "$1"; then
+  status_out=`mktemp`
+  verify_out=`mktemp`
+  verify_cmd="$gpg_prog $gpg_opts --status-file=$status_out --verify --verbose"
+  if $verify_cmd "$1".asc >$verify_out 2>&1; then
+    if grep EXPKEYSIG $status_out >/dev/null; then
+      err="expired key"
+    elif grep REVKEYSIG $status_out >/dev/null; then
+      err="revoked key"
+    else
+      err= # ok we hope
+    fi
+  else
+    err="other error ($?)"
+  fi
+  if test -n "$err"; then
+    echo "$0: gpg verification failed." >&2
+    if test -r "$1".asc; then
+      echo "$0: moving $1.asc to $1.asc.badv." >&2
+      mv "$1".asc "$1".asc.badv || exit 1
+    else
+      echo "$0: no file $1.asc" >&2
+    fi      
+    echo "$0: gpg verify command was:" >&2
+    echo "$0: $verify_cmd" "$1" >&2
+    echo "$0: STATUS FILE OUTPUT:" >&2
+    cat $status_out >&2
+    echo "$0: -------------------" >&2    
+    echo "$0: STDOUT/STDERR:" >&2
+    cat $verify_out >&2
+    echo "$0: -------------------" >&2    
+    echo "$0: goodbye and good luck." >&2
+    rm -f $status_out $verify_out
     exit 1
   fi
-else
-  echo "$0: gpg failed, exiting." >&2
+  rm -f $status_out $verify_out
+
+else # the original gpg run failed.
+  echo "$0: gpg signing failed." >&2
+  if test -r "$1".asc; then
+    echo "$0: moving $1.asc to $1.asc.bads." >&2
+    mv "$1".asc "$1".asc.bads || exit 1
+  else
+    echo "$0: no file $1.asc" >&2
+  fi
   echo "$0: gpg command was:" >&2
-  echo "$0:" "$prg" $gpgmainopts $gpgopts "$1" >&2
+  echo "$0: $gpg_prog $gpg_sign_opts $gpg_opts" "$1" >&2
+  echo "$0: goodbye and good luck." >&2
   exit 1
 fi
 

Modified: trunk/Master/tlpkg/gpg/tl-key-extension.txt
===================================================================
--- trunk/Master/tlpkg/gpg/tl-key-extension.txt	2020-05-14 23:53:15 UTC (rev 55146)
+++ trunk/Master/tlpkg/gpg/tl-key-extension.txt	2020-05-15 14:58:16 UTC (rev 55147)
@@ -43,7 +43,17 @@
 # texlive.asc, see above how to export it)
 gpg --homedir ~texlive/.gnupg --import texlive.asc
 
+# can view that .asc with:
+gpg --show-keyring texlive.asc
 
+# update web-accessible public key, keeping old files but updating symlink:
+cp texlive.asc ~www/texlive/files/texlive`date +%Y`.asc
+ln -s texlive`date +%Y`.asc ~www/texlive/files/texlive.asc
+
 More info: 
-. we use tlpkg/bin/tl-sign-file to sign texlive.tlpdb.
-. gpg --verify --verbose foo.asc for info on signature of file.
+. we use tlpkg/bin/tl-sign-file to sign texlive.tlpdb.sha512.
+. gpg --verify --verbose foo.asc for info on signature file.
+. but exit status is zero even with expired keys; to check,
+  use --status-file and inspect:
+gpg --verify --verbose --status-file=/tmp/st foo.asc
+. see tl-sign-file or TLCrypto.pm for full implementation.

More information about the tex-live-commits mailing list.