trefactor sign_release to use gnupg directly via subprocess - amprolla - devuan's apt repo merger HTML git clone git://parazyd.org/amprolla.git DIR Log DIR Files DIR Refs DIR README DIR LICENSE --- DIR commit ea2b4dd29579b36f02547ba089383cdefa463f8c DIR parent 57ac2b2a17fbeb08fc845bbb0b275d22c568892f HTML Author: parazyd <parazyd@dyne.org> Date: Fri, 11 Aug 2017 10:35:39 +0200 refactor sign_release to use gnupg directly via subprocess removes the need for python-gnupg which tends to have a relatively unstable API and doesn't work properly on some machines. Diffstat: M README.md | 8 ++++---- M doc/setup.md | 2 +- M lib/release.py | 31 +++++++++++++++++-------------- 3 files changed, 22 insertions(+), 19 deletions(-) --- DIR diff --git a/README.md b/README.md t@@ -19,19 +19,19 @@ of the according `Release` files. Dependencies ------------ -amprolla requires Python 3, and some external modules for it. The lowest -version it's been tested on was Python 3.4. +amprolla requires Python 3, the lowest version it's been tested on was +Python 3.4. It also requires the python-requests library. ### Devuan/Debian ``` -rsync gnupg2 python3-requests python3-gnupg +rsync gnupg2 python3-requests ``` ### Gentoo: ``` -net-misc/rsync app-crypt/gnupg dev-python/requests dev-python/python-gnupg +net-misc/rsync app-crypt/gnupg dev-python/requests ``` DIR diff --git a/doc/setup.md b/doc/setup.md t@@ -14,7 +14,7 @@ with the extra needed dependencies is using your package manager. You will need the following: ``` -python3, python-gnupg, python-requests, gnupg2, rsync +python3, python-requests, gnupg2, rsync ``` After installing the required dependencies, clone the amprolla git repo DIR diff --git a/lib/release.py b/lib/release.py t@@ -7,11 +7,12 @@ Release file functions and helpers from datetime import datetime, timedelta from gzip import decompress as gzip_decomp from lzma import compress as lzma_comp -from os.path import basename, getsize, isfile -import gnupg +from os.path import getsize, isfile +from subprocess import Popen from lib.config import (checksums, distrolabel, gpgdir, release_aliases, release_keys, signingkey) +from lib.log import info from lib.parse import parse_release_head t@@ -85,19 +86,21 @@ def write_release(oldrel, newrel, filelist, r, sign=True, rewrite=True): def sign_release(infile): """ - Signs both the clearsign and the detached signature of a Release file + Signs both the clearsign and the detached signature of a Release file. + + Takes a valid path to a release file as an argument. """ - gpg = gnupg.GPG(gnupghome=gpgdir) + args = ['gpg', '-q', '--default-key', signingkey, '--batch', '--yes', + '--homedir', gpgdir] - stream = open(infile, 'rb') + clearargs = args + ['--clearsign', '-a', '-o', + infile.replace('Release', 'InRelease'), infile] + detachargs = args + ['-sb', '-o', infile+'.gpg', infile] - # Clearsign - signed_data = gpg.sign_file(stream, keyid=signingkey, clearsign=True, - detach=False) - inrel = open(infile.replace('Release', 'InRelease'), 'wb') - inrel.write(signed_data.data) - inrel.close() + info('Signing Release (clearsign)') + cleargpg = Popen(clearargs) + cleargpg.wait(timeout=5) - # Detached signature (somewhat broken?) - # gpg.sign_file(stream, keyid=signingkey, clearsign=False, detach=True, - # output=infile + '.gpg') + info('Signing Release (detached sign)') + detachgpg = Popen(detachargs) + detachgpg.wait(timeout=5)