texlive[55180] Master/tlpkg/bin: tlgpg: new program for common gpg

commits+karl at tug.org commits+karl at tug.org
Sun May 17 19:43:50 CEST 2020 

Revision: 55180
          http://tug.org/svn/texlive?view=revision&revision=55180
Author:   karl
Date:     2020-05-17 19:43:50 +0200 (Sun, 17 May 2020)
Log Message:
-----------
tlgpg: new program for common gpg arguments for TL usage, notably --homedir.
tlgpg-verify: new script, following TLCrypto.pm for checks.
tl-sign-file: use tlgpg and tlgpg-verify.
tl-update-tlnet: run tlgpg-verify on the new tlnet's tlpdb, both before and
installation, since we've seen it fail.

Modified Paths:
--------------
    trunk/Master/tlpkg/bin/tl-sign-file
    trunk/Master/tlpkg/bin/tl-update-tlnet

Added Paths:
-----------
    trunk/Master/tlpkg/bin/tlgpg
    trunk/Master/tlpkg/bin/tlgpg-verify

Modified: trunk/Master/tlpkg/bin/tl-sign-file
===================================================================
--- trunk/Master/tlpkg/bin/tl-sign-file	2020-05-17 17:17:18 UTC (rev 55179)
+++ trunk/Master/tlpkg/bin/tl-sign-file	2020-05-17 17:43:50 UTC (rev 55180)
@@ -3,6 +3,8 @@
 # Public domain. Originally written 2016, Norbert Preining.
 # Sign a file for release in TeX Live. Used in tl-update-images,
 # tl-update-tlnet, et al. See tlpkg/gpg/tl-key-extension.txt for some info.
+# Perhaps someday we will rename this to tlgpg-sign at some point,
+# to be more parallel with tlgpg-verify.
 
 if test $# -ne 1; then
   echo "$0: Exactly one argument must be given, the file to sign." >&2
@@ -9,67 +11,23 @@
   exit 1
 fi
 
-# remove previous signature else gpg will bail out.
+mydir=`cd \`dirname $0\` && pwd`
+PATH=$mydir:$PATH # for our tlgpg* commands
+
+# remove any previous signature, else gpg will bail out.
 rm -f "$1.asc"
 
-gpg_prog=gpg
-gpg_opts="--batch --homedir /home/texlive/.gnupg  \
-  --passphrase-file /home/texlive/.gnupg/passphrase \
-  --local-user 0x06BAB6BC "
-gpg_sign_opts="--armor --detach-sign"
-
-# use the environment variables if set. This is for testing;
-# we don't define them in normal usage.
-if test -n "$TL_GNUPG"; then
-  gpg_prog=$TL_GNUPG
-fi
-if test -n "$TL_GNUPGOPTS"; then
-  gpg_opts=$TL_GNUPGOPTS
-fi
-if test -n "$TL_GNUPG_SIGN_OPTS"; then
-  gpg_sign_opts=$TL_GNUPG_SIGN_OPTS
-fi
-
-# sign, check that result is valid and doesn't use something expired.
-# both --detach-sign and --verify exit 0 even when something is expired.
-if $gpg_prog $gpg_sign_opts $gpg_opts "$1"; then
-  status_out=`mktemp`
-  verify_out=`mktemp`
-  verify_cmd="$gpg_prog $gpg_opts --status-file=$status_out --verify --verbose"
-  if $verify_cmd "$1".asc >$verify_out 2>&1; then
-    if grep EXPKEYSIG $status_out >/dev/null; then
-      err="expired key"
-    elif grep REVKEYSIG $status_out >/dev/null; then
-      err="revoked key"
-    else
-      err= # ok we hope
-    fi
-  else
-    err="other error ($?)"
-  fi
-  if test -n "$err"; then
-    echo "$0: gpg verification failed." >&2
-    if test -r "$1".asc; then
-      echo "$0: moving $1.asc to $1.asc.badv." >&2
-      mv "$1".asc "$1".asc.badv || exit 1
-    else
-      echo "$0: no file $1.asc" >&2
-    fi      
-    echo "$0: gpg verify command was:" >&2
-    echo "$0: $verify_cmd" "$1" >&2
-    echo "$0: STATUS FILE OUTPUT:" >&2
-    cat $status_out >&2
-    echo "$0: -------------------" >&2    
-    echo "$0: STDOUT/STDERR:" >&2
-    cat $verify_out >&2
-    echo "$0: -------------------" >&2    
-    echo "$0: goodbye and good luck." >&2
-    rm -f $status_out $verify_out
+sign_cmd="tlgpg --detach-sign --armor"
+if $sign_cmd "$1"; then
+  # signing will succeed even with expired keys and other problems, so
+  # do verification; our tlpgpg-verify script will report the errors, so
+  # just exit if it fails.
+  if tlgpg-verify "$1"; then :; else
+    echo "$0: gpg signing did not verify, exiting." >&2
     exit 1
   fi
-  rm -f $status_out $verify_out
-
-else # the original gpg run failed.
+  
+else # original gpg signing failed.
   echo "$0: gpg signing failed." >&2
   if test -r "$1".asc; then
     echo "$0: moving $1.asc to $1.asc.bads." >&2

Modified: trunk/Master/tlpkg/bin/tl-update-tlnet
===================================================================
--- trunk/Master/tlpkg/bin/tl-update-tlnet	2020-05-17 17:17:18 UTC (rev 55179)
+++ trunk/Master/tlpkg/bin/tl-update-tlnet	2020-05-17 17:43:50 UTC (rev 55180)
@@ -268,12 +268,13 @@
 # more consistency checks.
 if test $failure = false; then
   for cmd in \
+   "$Master/tlpkg/bin/tlgpg-verify $tltry/tlpkg/texlive.tlpdb" \
+   "$Master/tlpkg/bin/tl-compare-tlpdbs $critical $tltry/tlpkg/texlive.tlpdb" \
+   "$Master/tlpkg/bin/tl-check-symlinks $tltryinst/$yyyy/bin" \
    "$tltryinst/$yyyy/bin/*/tlmgr --repository $tltry update --list" \
    "$tltryinst/$yyyy/bin/*/updmap-sys -n" \
    "$tltryinst/$yyyy/bin/*/mktexlsr -n --verbose" \
-   "$Master/tlpkg/bin/tl-check-symlinks $tltryinst/$yyyy/bin" \
    "$Master/tlpkg/bin/tl-check-tlnet-consistency --location=$tltry" \
-   "$Master/tlpkg/bin/tl-compare-tlpdbs $critical $tltry/tlpkg/texlive.tlpdb" \
   ; do
     cmdname=`echo "$cmd" | awk '{print $1}'`
     if echo "$cmdname" | grep check-tlnet-consistency >/dev/null; then
@@ -313,7 +314,7 @@
 
 if $failure || $chicken; then
   echo >&2
-  echo "$prg: Our transcript file: $tlnet_install_log" >&2
+  echo "$prg: tl-update-tlnet transcript file: $tlnet_install_log" >&2
   echo "$prg: install-tl log file: $install_tl_log" >&2
   echo "$prg: Copies of both are in /tmp." >&2
   echo "$prg: Please rm -rf the trial dir." >&2
@@ -338,10 +339,14 @@
   test ! -r $f || cp -pf $f $tltry
 done
 
-# mv then rm to avoid the mirmon probe from making the rm fail.
+# mv then rm to avoid the mirmon probe failing during the rm.
 mv $tlweb $tltrybase/tlnet.old
 mv $tltry $tlweb
 rm -rf $tltrybase
+
+# We checked this above also, but check again.
+$Master/tlpkg/bin/tlgpg-verify $tlweb/tlpkg/texlive.tlpdb
+
 echo "$0: Done."
 
 exit 0

Added: trunk/Master/tlpkg/bin/tlgpg
===================================================================
--- trunk/Master/tlpkg/bin/tlgpg	                        (rev 0)
+++ trunk/Master/tlpkg/bin/tlgpg	2020-05-17 17:43:50 UTC (rev 55180)
@@ -0,0 +1,34 @@
+#!/bin/sh
+# $Id$
+# Public domain. Originally written 2016, Norbert Preining.
+# Run a gpg command for TeX Live, that is, with the TL --homedir, etc.
+# Since we want to be able to independently sign and verify, factor this out.
+
+if test $# -eq 0; then
+  echo "$0: At least one argument must be given." >&2
+  exit 1
+fi
+
+gpg_prog=gpg
+gpg_opts="--batch --homedir /home/texlive/.gnupg  \
+  --passphrase-file /home/texlive/.gnupg/passphrase \
+  --local-user 0x06BAB6BC "
+
+# use the environment variables if set. This is for testing;
+# we don't define them in normal usage.
+if test -n "$TL_GNUPG"; then
+  gpg_prog=$TL_GNUPG
+fi
+if test -n "$TL_GNUPGOPTS"; then
+  gpg_opts=$TL_GNUPGOPTS
+fi
+
+if $gpg_prog $gpg_opts "$@" </dev/null; then
+  :
+else
+  echo "$0: gpg failed; command was:" >&2
+  echo "$0:   $gpg_prog $gpg_opts" "$@" >&2
+  exit 1
+fi
+
+exit 0


Property changes on: trunk/Master/tlpkg/bin/tlgpg
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+Date Author Id Revision
\ No newline at end of property
Added: trunk/Master/tlpkg/bin/tlgpg-verify
===================================================================
--- trunk/Master/tlpkg/bin/tlgpg-verify	                        (rev 0)
+++ trunk/Master/tlpkg/bin/tlgpg-verify	2020-05-17 17:43:50 UTC (rev 55180)
@@ -0,0 +1,61 @@
+#!/bin/sh
+# $Id$
+# Public domain. Originally written 2020, Norbert Preining.
+# gpg --verify ARG.asc. If verification fails, show all output.
+# Adapted from TeXLive/TLCrypto.pm.
+
+if test $# -ne 1; then
+  echo "$0: Exactly one argument must be given, the file to verify," >&2
+  echo "$0: with or without the .asc." >&2
+  exit 1
+fi
+
+if echo "$1" | grep '\.asc$' >/dev/null; then
+  asc_file=$1
+else
+  asc_file=$1.asc
+fi
+
+if test ! -s "$asc_file"; then
+  echo "$0: $asc_file nonexistent or empty, goodbye." >&2
+  exit 1
+fi
+
+mydir=`cd \`dirname $0\` && pwd`
+PATH=$mydir:$PATH # for our tlgpg command
+
+status_out=`mktemp`
+verify_out=`mktemp`
+verify_cmd="tlgpg --status-file=$status_out --verify --verbose"
+
+# gpg exit status is zero with expired keys,
+# but we want to fail in that case.
+if $verify_cmd "$asc_file" >$verify_out 2>&1; then
+  if grep EXPKEYSIG $status_out >/dev/null; then
+    err="expired key"
+  elif grep REVKEYSIG $status_out >/dev/null; then
+    err="revoked key"
+  else
+    err= # ok we hope
+  fi
+else
+  err="other error ($?)"
+fi
+
+if test -n "$err"; then
+  echo "$0: gpg verification failed for: $asc_file" >&2
+  echo "$0: moving $asc_file to $asc_file.badv." >&2
+  mv "$asc_file" "$asc_file".badv || exit 1
+  echo "$0: gpg verify command was:" >&2
+  echo "$0:   $verify_cmd" "$1" >&2
+  echo "$0: GPG STATUS FILE OUTPUT:" >&2
+  cat $status_out >&2
+  echo "$0: GPG STDOUT/STDERR:" >&2
+  cat $verify_out >&2
+  echo "$0: goodbye and good luck." >&2
+  rm -f $status_out $verify_out
+  exit 1
+fi
+rm -f $status_out $verify_out
+
+exit 0


Property changes on: trunk/Master/tlpkg/bin/tlgpg-verify
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
Added: svn:keywords
## -0,0 +1 ##
+Date Author Id Revision
\ No newline at end of property

More information about the tex-live-commits mailing list.