Permalink
Browse files

Check if the right gpg key is available

 The signature file is downloaded first and checked with itself.
 gpg returns exit code 2 when the public key is not in the keyring.
 If this is the case, ignore further possible download files.

Signed-off-by: Johann Felix Soden <johfel.gmx.de>
Signed-off-by: Stratos Psomadakis <psomas@cslab.ece.ntua.gr>
  • Loading branch information...
1 parent ba5fcd6 commit fa6d98aa6f3f48cd16ae710984dceb996c76ef5e @johfel johfel committed with May 18, 2011
Showing with 31 additions and 2 deletions.
  1. +31 −2 ketchup
View
33 ketchup
@@ -33,7 +33,7 @@
# gpg = '/weird/path/to/gpg'
#
-import re, sys, urllib, os, getopt, glob, shutil
+import re, sys, urllib, os, getopt, glob, shutil, subprocess
def error(*args):
sys.stderr.write("ketchup: ")
@@ -298,12 +298,35 @@ def download(url, f):
os.rename(f + ".partial", f)
return 1
+def check_if_gpg_key_available(url, f, sign):
+ if options["no-gpg"] or options["dry-run"] or not options["gpg-path"]:
+ return 1
+ sf = f + sign
+ qprint("Check if GPG key is available...")
+ if not download(url + sign, sf):
+ error("signature download failed")
+ return 0
+
+ process= subprocess.Popen([options["gpg-path"], "--no-tty", "--batch", "--verify",sf,sf],
+ stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
+ output, unused_err = process.communicate()
+ r = process.poll()
+ if r == 2: # key is not available
+ qprint(output)
+ error("The GPG key seems not to be in the keyring. Please fix this and try again.")
+ qprint("In the case potential malicious kernel code is not a problem,\n"
+ "you can skip the verifying by using --no-gpg.")
+ return -1
+ if r < 0: # killed by signal
+ return -1
+ return 1
+
def verify(url, f, sign):
if options["no-gpg"] or options["dry-run"] or not options["gpg-path"]:
return 1
sf = f + sign
- if not download(url + sign, sf):
+ if not os.path.isfile(sf) and not download(url + sign, sf):
error("signature download failed")
error("removing files...")
os.unlink(f)
@@ -322,6 +345,12 @@ def verify(url, f, sign):
def trydownload(urls, f, sign):
for url in urls:
+ if sign:
+ result=check_if_gpg_key_available(url, f, sign)
+ if result < 0: # gpg key not available
+ return None
+ elif result==0: # download failed
+ continue
if download(url, f):
if not sign or verify(url, f, sign):
return f

0 comments on commit fa6d98a

Please sign in to comment.