diff options
| author | Mike Frysinger <vapier@google.com> | 2020-02-14 16:28:13 -0500 |
|---|---|---|
| committer | Mike Frysinger <vapier@google.com> | 2020-02-15 03:55:45 +0000 |
| commit | 19a1f22cd0a06eeb1cdea8e81ce7871bd5d6d6a2 (patch) | |
| tree | 1c4ba8a749c017bd28ada2821defe8cd4b1128f4 | |
| parent | 076512aafaa96563cfb1ca1d43bbd515091d0e5e (diff) | |
| download | git-repo-19a1f22cd0a06eeb1cdea8e81ce7871bd5d6d6a2.tar.gz | |
repo: rework gpg import for Windows
Some versions of gpg on Windows mishandle native paths with homedir.
It manifests itself like:
gpg: keybox 'C:\Users\.../.repoconfig\gnupg/pubring.kbx' created
gpg: C:\Users\.../.repoconfig\gnupg/trustdb.gpg: trustdb created
gpg: key 16530D5E920F5C65: public key "Repo Maintainer <repo@android.kernel.org>" imported
gpg: can't connect to the agent: Invalid value passed to IPC
gpg: Total number processed: 1
gpg: imported: 1
fatal: registering repo maintainer keys failed
It seems gpg (at least version 2.2.17) needs paths to be specified
in cygwin form (e.g. "/c/Users/.../.repoconfig/gnupg") otherwise
it fails to talk to its own processes. We can work around this
with a minor trick: we cd to the right path and then invoke gpg
with --homedir . and let gpg itself resolve . to whatever form it
really wants.
This is a bit hacky, but we don't control gpg, and this allows us
to avoid having to muck with the environment. Since --homedir has
been around since at least gpg-1.4.x from 2004, backwards compat
shouldn't be an issue.
While we're here, touch up the output a bit: there's no need to
dump all the chatty gpg output if things don't fail, so always
swallow the output. If things do fail, our exception handler
takes care of dumping the full stdout & stderr.
Change-Id: I74ab98e1e61e95318fda6faf57c6a8699f775935
Reviewed-on: https://gerrit-review.googlesource.com/c/git-repo/+/255120
Reviewed-by: David Pursehouse <dpursehouse@collab.net>
Tested-by: Mike Frysinger <vapier@google.com>
| -rwxr-xr-x | repo | 21 |
1 files changed, 12 insertions, 9 deletions
| @@ -650,13 +650,19 @@ def SetupGnuPG(quiet): | |||
| 650 | file=sys.stderr) | 650 | file=sys.stderr) |
| 651 | sys.exit(1) | 651 | sys.exit(1) |
| 652 | 652 | ||
| 653 | env = os.environ.copy() | 653 | if not quiet: |
| 654 | _setenv('GNUPGHOME', gpg_dir, env) | 654 | print('repo: Updating release signing keys to keyset ver %s' % |
| 655 | 655 | ('.'.join(str(x) for x in KEYRING_VERSION),)) | |
| 656 | cmd = ['gpg', '--import'] | 656 | # NB: We use --homedir (and cwd below) because some environments (Windows) do |
| 657 | # not correctly handle full native paths. We avoid the issue by changing to | ||
| 658 | # the right dir with cwd=gpg_dir before executing gpg, and then telling gpg to | ||
| 659 | # use the cwd (.) as its homedir which leaves the path resolution logic to it. | ||
| 660 | cmd = ['gpg', '--homedir', '.', '--import'] | ||
| 657 | try: | 661 | try: |
| 658 | run_command(cmd, env=env, stdin=subprocess.PIPE, | 662 | # gpg can be pretty chatty. Always capture the output and if something goes |
| 659 | capture_output=quiet, | 663 | # wrong, the builtin check failure will dump stdout & stderr for debugging. |
| 664 | run_command(cmd, stdin=subprocess.PIPE, capture_output=True, | ||
| 665 | cwd=gpg_dir, check=True, | ||
| 660 | input=MAINTAINER_KEYS.encode('utf-8')) | 666 | input=MAINTAINER_KEYS.encode('utf-8')) |
| 661 | except OSError: | 667 | except OSError: |
| 662 | if not quiet: | 668 | if not quiet: |
| @@ -665,9 +671,6 @@ def SetupGnuPG(quiet): | |||
| 665 | print(file=sys.stderr) | 671 | print(file=sys.stderr) |
| 666 | return False | 672 | return False |
| 667 | 673 | ||
| 668 | if not quiet: | ||
| 669 | print() | ||
| 670 | |||
| 671 | with open(os.path.join(home_dot_repo, 'keyring-version'), 'w') as fd: | 674 | with open(os.path.join(home_dot_repo, 'keyring-version'), 'w') as fd: |
| 672 | fd.write('.'.join(map(str, KEYRING_VERSION)) + '\n') | 675 | fd.write('.'.join(map(str, KEYRING_VERSION)) + '\n') |
| 673 | return True | 676 | return True |