Browse Source

refactor sign_release to use gnupg directly via subprocess

removes the need for python-gnupg which tends to have a relatively
unstable API and doesn't work properly on some machines.
debianarchive-update
parazyd 5 years ago
parent
commit
ea2b4dd295
Signed by untrusted user: parazyd GPG Key ID: F0CB28FCF78637DE
  1. 8
      README.md
  2. 2
      doc/setup.md
  3. 31
      lib/release.py

8
README.md

@ -19,19 +19,19 @@ of the according `Release` files.
Dependencies
------------
amprolla requires Python 3, and some external modules for it. The lowest
version it's been tested on was Python 3.4.
amprolla requires Python 3, the lowest version it's been tested on was
Python 3.4. It also requires the python-requests library.
### Devuan/Debian
```
rsync gnupg2 python3-requests python3-gnupg
rsync gnupg2 python3-requests
```
### Gentoo:
```
net-misc/rsync app-crypt/gnupg dev-python/requests dev-python/python-gnupg
net-misc/rsync app-crypt/gnupg dev-python/requests
```

2
doc/setup.md

@ -14,7 +14,7 @@ with the extra needed dependencies is using your package manager.
You will need the following:
```
python3, python-gnupg, python-requests, gnupg2, rsync
python3, python-requests, gnupg2, rsync
```
After installing the required dependencies, clone the amprolla git repo

31
lib/release.py

@ -7,11 +7,12 @@ Release file functions and helpers
from datetime import datetime, timedelta
from gzip import decompress as gzip_decomp
from lzma import compress as lzma_comp
from os.path import basename, getsize, isfile
import gnupg
from os.path import getsize, isfile
from subprocess import Popen
from lib.config import (checksums, distrolabel, gpgdir, release_aliases,
release_keys, signingkey)
from lib.log import info
from lib.parse import parse_release_head
@ -85,19 +86,21 @@ def write_release(oldrel, newrel, filelist, r, sign=True, rewrite=True):
def sign_release(infile):
"""
Signs both the clearsign and the detached signature of a Release file
Signs both the clearsign and the detached signature of a Release file.
Takes a valid path to a release file as an argument.
"""
gpg = gnupg.GPG(gnupghome=gpgdir)
args = ['gpg', '-q', '--default-key', signingkey, '--batch', '--yes',
'--homedir', gpgdir]
stream = open(infile, 'rb')
clearargs = args + ['--clearsign', '-a', '-o',
infile.replace('Release', 'InRelease'), infile]
detachargs = args + ['-sb', '-o', infile+'.gpg', infile]
# Clearsign
signed_data = gpg.sign_file(stream, keyid=signingkey, clearsign=True,
detach=False)
inrel = open(infile.replace('Release', 'InRelease'), 'wb')
inrel.write(signed_data.data)
inrel.close()
info('Signing Release (clearsign)')
cleargpg = Popen(clearargs)
cleargpg.wait(timeout=5)
# Detached signature (somewhat broken?)
# gpg.sign_file(stream, keyid=signingkey, clearsign=False, detach=True,
# output=infile + '.gpg')
info('Signing Release (detached sign)')
detachgpg = Popen(detachargs)
detachgpg.wait(timeout=5)

Loading…
Cancel
Save