/usr/lib/python3/dist-packages/simple_cdd/gnupg.py is in python3-simple-cdd 0.6.5.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 | from simple_cdd.exceptions import Fail
from simple_cdd.utils import run_command
import os
import subprocess
import logging
log = logging.getLogger()
class Gnupg:
"""
Collect all gnupg related functions
"""
def __init__(self, env):
self.env = env
def init_homedir(self):
gnupghome = self.env.get("GNUPGHOME")
if not os.path.isdir(gnupghome):
os.makedirs(gnupghome, exist_ok=True)
os.chmod(gnupghome, 0o700)
# Import all keyrings into our gnupg home
for keyring_file in self.env.get("keyring"):
if not os.path.exists(keyring_file):
log.warn("keyring file %s does not exist", keyring_file)
continue
self.import_keyring(keyring_file)
def common_gpg_args(self):
args = ["gpg", "--no-default-keyring"]
for k in self.env.get("keyring"):
args.extend(("--keyring", k))
return args
def extract_inline_contents(self, pathname, sigpathname):
args = self.common_gpg_args() + ["--decrypt", sigpathname]
proc = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
stdout, stderr = proc.communicate()
if stdout and proc.returncode == 0:
lines = stdout.splitlines(keepends=True)
with open(pathname, 'w') as x:
for line in lines:
x.write(line.decode('utf-8'))
else:
raise Fail("Unable to extract data from %s to %s, returned %d", sigpathname, pathname, proc.returncode)
def verify_gpg_sig(self, *extra_args):
args = self.common_gpg_args()
args.extend(extra_args)
retval = run_command("verify gpg signature", args)
if retval != 0:
raise Fail("Signature verification failed on %s", pathname)
def verify_detached_sig(self, pathname, sigpathname):
return self.verify_gpg_sig("--verify", sigpathname, pathname)
def verify_inline_sig(self, pathname):
return self.verify_gpg_sig("--verify", pathname)
def import_keyring(self, keyring_file):
"""
Import a keyring into our keyring file
"""
env = dict(os.environ)
env["GNUPGHOME"] = self.env.get("GNUPGHOME")
proc = subprocess.Popen(["gpg", "--import", keyring_file], stdout=subprocess.PIPE, stderr=subprocess.PIPE, env=env)
stdout, stderr = proc.communicate()
retval = proc.wait()
if retval != 0:
for line in stderr.decode("utf-8").split("\n"):
log.error("GPG standard error: %s", line)
raise Fail("Importing %s into %s failed, gpg error code %s", keyring_file, self.env.get("GNUPGHOME"), retval)
def list_valid_keys(self, keyring_file):
"""
Generate a sequence of keyIDs for valid signing keys found in the given
keyring file
"""
keys_raw = subprocess.check_output(["gpg",
"--no-default-keyring",
"--keyring", keyring_file,
"--list-keys",
"--with-colons"],
universal_newlines=True)
for line in keys_raw.split("\n"):
if not line.startswith("pub") and not line.startswith("sub"):
continue
fields = line.split(":")
keyid = fields[4]
status = fields[11]
if 'D' in status: continue
if 's' not in status and 'S' not in status: continue
yield keyid
|