texlive[55180] Master/tlpkg/bin: tlgpg: new program for common gpg
commits+karl at tug.org
commits+karl at tug.org
Sun May 17 19:43:50 CEST 2020
Revision: 55180
http://tug.org/svn/texlive?view=revision&revision=55180
Author: karl
Date: 2020-05-17 19:43:50 +0200 (Sun, 17 May 2020)
Log Message:
-----------
tlgpg: new program for common gpg arguments for TL usage, notably --homedir.
tlgpg-verify: new script, following TLCrypto.pm for checks.
tl-sign-file: use tlgpg and tlgpg-verify.
tl-update-tlnet: run tlgpg-verify on the new tlnet's tlpdb, both before and
installation, since we've seen it fail.
Modified Paths:
--------------
trunk/Master/tlpkg/bin/tl-sign-file
trunk/Master/tlpkg/bin/tl-update-tlnet
Added Paths:
-----------
trunk/Master/tlpkg/bin/tlgpg
trunk/Master/tlpkg/bin/tlgpg-verify
Modified: trunk/Master/tlpkg/bin/tl-sign-file
===================================================================
--- trunk/Master/tlpkg/bin/tl-sign-file 2020-05-17 17:17:18 UTC (rev 55179)
+++ trunk/Master/tlpkg/bin/tl-sign-file 2020-05-17 17:43:50 UTC (rev 55180)
@@ -3,6 +3,8 @@
# Public domain. Originally written 2016, Norbert Preining.
# Sign a file for release in TeX Live. Used in tl-update-images,
# tl-update-tlnet, et al. See tlpkg/gpg/tl-key-extension.txt for some info.
+# Perhaps someday we will rename this to tlgpg-sign at some point,
+# to be more parallel with tlgpg-verify.
if test $# -ne 1; then
echo "$0: Exactly one argument must be given, the file to sign." >&2
@@ -9,67 +11,23 @@
exit 1
fi
-# remove previous signature else gpg will bail out.
+mydir=`cd \`dirname $0\` && pwd`
+PATH=$mydir:$PATH # for our tlgpg* commands
+
+# remove any previous signature, else gpg will bail out.
rm -f "$1.asc"
-gpg_prog=gpg
-gpg_opts="--batch --homedir /home/texlive/.gnupg \
- --passphrase-file /home/texlive/.gnupg/passphrase \
- --local-user 0x06BAB6BC "
-gpg_sign_opts="--armor --detach-sign"
-
-# use the environment variables if set. This is for testing;
-# we don't define them in normal usage.
-if test -n "$TL_GNUPG"; then
- gpg_prog=$TL_GNUPG
-fi
-if test -n "$TL_GNUPGOPTS"; then
- gpg_opts=$TL_GNUPGOPTS
-fi
-if test -n "$TL_GNUPG_SIGN_OPTS"; then
- gpg_sign_opts=$TL_GNUPG_SIGN_OPTS
-fi
-
-# sign, check that result is valid and doesn't use something expired.
-# both --detach-sign and --verify exit 0 even when something is expired.
-if $gpg_prog $gpg_sign_opts $gpg_opts "$1"; then
- status_out=`mktemp`
- verify_out=`mktemp`
- verify_cmd="$gpg_prog $gpg_opts --status-file=$status_out --verify --verbose"
- if $verify_cmd "$1".asc >$verify_out 2>&1; then
- if grep EXPKEYSIG $status_out >/dev/null; then
- err="expired key"
- elif grep REVKEYSIG $status_out >/dev/null; then
- err="revoked key"
- else
- err= # ok we hope
- fi
- else
- err="other error ($?)"
- fi
- if test -n "$err"; then
- echo "$0: gpg verification failed." >&2
- if test -r "$1".asc; then
- echo "$0: moving $1.asc to $1.asc.badv." >&2
- mv "$1".asc "$1".asc.badv || exit 1
- else
- echo "$0: no file $1.asc" >&2
- fi
- echo "$0: gpg verify command was:" >&2
- echo "$0: $verify_cmd" "$1" >&2
- echo "$0: STATUS FILE OUTPUT:" >&2
- cat $status_out >&2
- echo "$0: -------------------" >&2
- echo "$0: STDOUT/STDERR:" >&2
- cat $verify_out >&2
- echo "$0: -------------------" >&2
- echo "$0: goodbye and good luck." >&2
- rm -f $status_out $verify_out
+sign_cmd="tlgpg --detach-sign --armor"
+if $sign_cmd "$1"; then
+ # signing will succeed even with expired keys and other problems, so
+ # do verification; our tlpgpg-verify script will report the errors, so
+ # just exit if it fails.
+ if tlgpg-verify "$1"; then :; else
+ echo "$0: gpg signing did not verify, exiting." >&2
exit 1
fi
- rm -f $status_out $verify_out
-
-else # the original gpg run failed.
+
+else # original gpg signing failed.
echo "$0: gpg signing failed." >&2
if test -r "$1".asc; then
echo "$0: moving $1.asc to $1.asc.bads." >&2
Modified: trunk/Master/tlpkg/bin/tl-update-tlnet
===================================================================
--- trunk/Master/tlpkg/bin/tl-update-tlnet 2020-05-17 17:17:18 UTC (rev 55179)
+++ trunk/Master/tlpkg/bin/tl-update-tlnet 2020-05-17 17:43:50 UTC (rev 55180)
@@ -268,12 +268,13 @@
# more consistency checks.
if test $failure = false; then
for cmd in \
+ "$Master/tlpkg/bin/tlgpg-verify $tltry/tlpkg/texlive.tlpdb" \
+ "$Master/tlpkg/bin/tl-compare-tlpdbs $critical $tltry/tlpkg/texlive.tlpdb" \
+ "$Master/tlpkg/bin/tl-check-symlinks $tltryinst/$yyyy/bin" \
"$tltryinst/$yyyy/bin/*/tlmgr --repository $tltry update --list" \
"$tltryinst/$yyyy/bin/*/updmap-sys -n" \
"$tltryinst/$yyyy/bin/*/mktexlsr -n --verbose" \
- "$Master/tlpkg/bin/tl-check-symlinks $tltryinst/$yyyy/bin" \
"$Master/tlpkg/bin/tl-check-tlnet-consistency --location=$tltry" \
- "$Master/tlpkg/bin/tl-compare-tlpdbs $critical $tltry/tlpkg/texlive.tlpdb" \
; do
cmdname=`echo "$cmd" | awk '{print $1}'`
if echo "$cmdname" | grep check-tlnet-consistency >/dev/null; then
@@ -313,7 +314,7 @@
if $failure || $chicken; then
echo >&2
- echo "$prg: Our transcript file: $tlnet_install_log" >&2
+ echo "$prg: tl-update-tlnet transcript file: $tlnet_install_log" >&2
echo "$prg: install-tl log file: $install_tl_log" >&2
echo "$prg: Copies of both are in /tmp." >&2
echo "$prg: Please rm -rf the trial dir." >&2
@@ -338,10 +339,14 @@
test ! -r $f || cp -pf $f $tltry
done
-# mv then rm to avoid the mirmon probe from making the rm fail.
+# mv then rm to avoid the mirmon probe failing during the rm.
mv $tlweb $tltrybase/tlnet.old
mv $tltry $tlweb
rm -rf $tltrybase
+
+# We checked this above also, but check again.
+$Master/tlpkg/bin/tlgpg-verify $tlweb/tlpkg/texlive.tlpdb
+
echo "$0: Done."
exit 0
Added: trunk/Master/tlpkg/bin/tlgpg
===================================================================
--- trunk/Master/tlpkg/bin/tlgpg (rev 0)
+++ trunk/Master/tlpkg/bin/tlgpg 2020-05-17 17:43:50 UTC (rev 55180)
@@ -0,0 +1,34 @@
+#!/bin/sh
+# $Id$
+# Public domain. Originally written 2016, Norbert Preining.
+# Run a gpg command for TeX Live, that is, with the TL --homedir, etc.
+# Since we want to be able to independently sign and verify, factor this out.
+
+if test $# -eq 0; then
+ echo "$0: At least one argument must be given." >&2
+ exit 1
+fi
+
+gpg_prog=gpg
+gpg_opts="--batch --homedir /home/texlive/.gnupg \
+ --passphrase-file /home/texlive/.gnupg/passphrase \
+ --local-user 0x06BAB6BC "
+
+# use the environment variables if set. This is for testing;
+# we don't define them in normal usage.
+if test -n "$TL_GNUPG"; then
+ gpg_prog=$TL_GNUPG
+fi
+if test -n "$TL_GNUPGOPTS"; then
+ gpg_opts=$TL_GNUPGOPTS
+fi
+
+if $gpg_prog $gpg_opts "$@" </dev/null; then
+ :
+else
+ echo "$0: gpg failed; command was:" >&2
+ echo "$0: $gpg_prog $gpg_opts" "$@" >&2
+ exit 1
+fi
+
+exit 0
Property changes on: trunk/Master/tlpkg/bin/tlgpg
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+Date Author Id Revision
\ No newline at end of property
Added: trunk/Master/tlpkg/bin/tlgpg-verify
===================================================================
--- trunk/Master/tlpkg/bin/tlgpg-verify (rev 0)
+++ trunk/Master/tlpkg/bin/tlgpg-verify 2020-05-17 17:43:50 UTC (rev 55180)
@@ -0,0 +1,61 @@
+#!/bin/sh
+# $Id$
+# Public domain. Originally written 2020, Norbert Preining.
+# gpg --verify ARG.asc. If verification fails, show all output.
+# Adapted from TeXLive/TLCrypto.pm.
+
+if test $# -ne 1; then
+ echo "$0: Exactly one argument must be given, the file to verify," >&2
+ echo "$0: with or without the .asc." >&2
+ exit 1
+fi
+
+if echo "$1" | grep '\.asc$' >/dev/null; then
+ asc_file=$1
+else
+ asc_file=$1.asc
+fi
+
+if test ! -s "$asc_file"; then
+ echo "$0: $asc_file nonexistent or empty, goodbye." >&2
+ exit 1
+fi
+
+mydir=`cd \`dirname $0\` && pwd`
+PATH=$mydir:$PATH # for our tlgpg command
+
+status_out=`mktemp`
+verify_out=`mktemp`
+verify_cmd="tlgpg --status-file=$status_out --verify --verbose"
+
+# gpg exit status is zero with expired keys,
+# but we want to fail in that case.
+if $verify_cmd "$asc_file" >$verify_out 2>&1; then
+ if grep EXPKEYSIG $status_out >/dev/null; then
+ err="expired key"
+ elif grep REVKEYSIG $status_out >/dev/null; then
+ err="revoked key"
+ else
+ err= # ok we hope
+ fi
+else
+ err="other error ($?)"
+fi
+
+if test -n "$err"; then
+ echo "$0: gpg verification failed for: $asc_file" >&2
+ echo "$0: moving $asc_file to $asc_file.badv." >&2
+ mv "$asc_file" "$asc_file".badv || exit 1
+ echo "$0: gpg verify command was:" >&2
+ echo "$0: $verify_cmd" "$1" >&2
+ echo "$0: GPG STATUS FILE OUTPUT:" >&2
+ cat $status_out >&2
+ echo "$0: GPG STDOUT/STDERR:" >&2
+ cat $verify_out >&2
+ echo "$0: goodbye and good luck." >&2
+ rm -f $status_out $verify_out
+ exit 1
+fi
+rm -f $status_out $verify_out
+
+exit 0
Property changes on: trunk/Master/tlpkg/bin/tlgpg-verify
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+Date Author Id Revision
\ No newline at end of property
More information about the tex-live-commits
mailing list.