URI: 
       trefactor sign_release to use gnupg directly via subprocess - amprolla - devuan's apt repo merger
  HTML git clone git://parazyd.org/amprolla.git
   DIR Log
   DIR Files
   DIR Refs
   DIR README
   DIR LICENSE
       ---
   DIR commit ea2b4dd29579b36f02547ba089383cdefa463f8c
   DIR parent 57ac2b2a17fbeb08fc845bbb0b275d22c568892f
  HTML Author: parazyd <parazyd@dyne.org>
       Date:   Fri, 11 Aug 2017 10:35:39 +0200
       
       refactor sign_release to use gnupg directly via subprocess
       
       removes the need for python-gnupg which tends to have a relatively
       unstable API and doesn't work properly on some machines.
       
       Diffstat:
         M README.md                           |       8 ++++----
         M doc/setup.md                        |       2 +-
         M lib/release.py                      |      31 +++++++++++++++++--------------
       
       3 files changed, 22 insertions(+), 19 deletions(-)
       ---
   DIR diff --git a/README.md b/README.md
       t@@ -19,19 +19,19 @@ of the according `Release` files.
        Dependencies
        ------------
        
       -amprolla requires Python 3, and some external modules for it. The lowest
       -version it's been tested on was Python 3.4.
       +amprolla requires Python 3, the lowest version it's been tested on was
       +Python 3.4. It also requires the python-requests library.
        
        ### Devuan/Debian
        
        ```
       -rsync gnupg2 python3-requests python3-gnupg
       +rsync gnupg2 python3-requests
        ```
        
        ### Gentoo:
        
        ```
       -net-misc/rsync app-crypt/gnupg dev-python/requests dev-python/python-gnupg
       +net-misc/rsync app-crypt/gnupg dev-python/requests
        ```
        
        
   DIR diff --git a/doc/setup.md b/doc/setup.md
       t@@ -14,7 +14,7 @@ with the extra needed dependencies is using your package manager.
        You will need the following:
        
        ```
       -python3, python-gnupg, python-requests, gnupg2, rsync
       +python3, python-requests, gnupg2, rsync
        ```
        
        After installing the required dependencies, clone the amprolla git repo
   DIR diff --git a/lib/release.py b/lib/release.py
       t@@ -7,11 +7,12 @@ Release file functions and helpers
        from datetime import datetime, timedelta
        from gzip import decompress as gzip_decomp
        from lzma import compress as lzma_comp
       -from os.path import basename, getsize, isfile
       -import gnupg
       +from os.path import getsize, isfile
       +from subprocess import Popen
        
        from lib.config import (checksums, distrolabel, gpgdir, release_aliases,
                                release_keys, signingkey)
       +from lib.log import info
        from lib.parse import parse_release_head
        
        
       t@@ -85,19 +86,21 @@ def write_release(oldrel, newrel, filelist, r, sign=True, rewrite=True):
        
        def sign_release(infile):
            """
       -    Signs both the clearsign and the detached signature of a Release file
       +    Signs both the clearsign and the detached signature of a Release file.
       +
       +    Takes a valid path to a release file as an argument.
            """
       -    gpg = gnupg.GPG(gnupghome=gpgdir)
       +    args = ['gpg', '-q', '--default-key', signingkey, '--batch', '--yes',
       +            '--homedir', gpgdir]
        
       -    stream = open(infile, 'rb')
       +    clearargs = args + ['--clearsign', '-a', '-o',
       +                        infile.replace('Release', 'InRelease'), infile]
       +    detachargs = args + ['-sb', '-o', infile+'.gpg', infile]
        
       -    # Clearsign
       -    signed_data = gpg.sign_file(stream, keyid=signingkey, clearsign=True,
       -                                detach=False)
       -    inrel = open(infile.replace('Release', 'InRelease'), 'wb')
       -    inrel.write(signed_data.data)
       -    inrel.close()
       +    info('Signing Release (clearsign)')
       +    cleargpg = Popen(clearargs)
       +    cleargpg.wait(timeout=5)
        
       -    # Detached signature (somewhat broken?)
       -    # gpg.sign_file(stream, keyid=signingkey, clearsign=False, detach=True,
       -    #              output=infile + '.gpg')
       +    info('Signing Release (detached sign)')
       +    detachgpg = Popen(detachargs)
       +    detachgpg.wait(timeout=5)