Launchpad itself

Merge lp:~cjwatson/launchpad/gpg-fix-verify-retrieve-key into lp:launchpad

  1. gpg-fix-verify-retrieve-key
  2. Merge into devel
Proposed by Colin Watson
Status: Merged
Merged at revision: 18905
Proposed branch: lp:~cjwatson/launchpad/gpg-fix-verify-retrieve-key
Merge into: lp:launchpad
Diff against target: 76 lines (+49/-2)
2 files modified
lib/lp/services/gpg/handler.py (+6/-1)
lib/lp/services/gpg/tests/test_gpghandler.py (+43/-1)
To merge this branch: bzr merge lp:~cjwatson/launchpad/gpg-fix-verify-retrieve-key
Reviewer Review Type Date Requested Status
William Grant code Approve
Review via email: mp+364386@code.launchpad.net

Commit message

Temporarily allow 64-bit key IDs in GPGHandler.retrieveKey, since getVerifiedSignature may need them.

Description of the change

An awkward consequence of https://code.launchpad.net/~cjwatson/launchpad/no-auto-key-retrieve/+merge/364100. I still think this is probably the best approach for now given the keyserver weirdness, but happy to discuss it.

To post a comment you must log in.
Revision history for this message
William Grant (wgrant) :
review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'lib/lp/services/gpg/handler.py'
--- lib/lp/services/gpg/handler.py 2019-03-12 12:57:14 +0000
+++ lib/lp/services/gpg/handler.py 2019-03-13 17:42:56 +0000
@@ -457,7 +457,12 @@
457 if not key.exists_in_local_keyring:457 if not key.exists_in_local_keyring:
458 pubkey = self._getPubKey(fingerprint)458 pubkey = self._getPubKey(fingerprint)
459 key = self.importPublicKey(pubkey)459 key = self.importPublicKey(pubkey)
460 if fingerprint != key.fingerprint:460 # XXX cjwatson 2019-03-13: Remove affordance for 64-bit key IDs
461 # once we're on GnuPG 2.2.7 and GPGME 1.11.0. See comment in
462 # getVerifiedSignature.
463 if (fingerprint != key.fingerprint and
464 not (len(fingerprint) == 16 and
465 key.fingerprint.endswith(fingerprint))):
461 ctx = self._getContext()466 ctx = self._getContext()
462 with gpgme_timeline("delete", key.fingerprint):467 with gpgme_timeline("delete", key.fingerprint):
463 ctx.delete(key.key)468 ctx.delete(key.key)
464469
=== modified file 'lib/lp/services/gpg/tests/test_gpghandler.py'
--- lib/lp/services/gpg/tests/test_gpghandler.py 2018-06-25 11:31:00 +0000
+++ lib/lp/services/gpg/tests/test_gpghandler.py 2019-03-13 17:42:56 +0000
@@ -1,4 +1,4 @@
1# Copyright 2009-2018 Canonical Ltd. This software is licensed under the1# Copyright 2009-2019 Canonical Ltd. This software is licensed under the
2# GNU Affero General Public License version 3 (see the file LICENSE).2# GNU Affero General Public License version 3 (see the file LICENSE).
33
4import base644import base64
@@ -193,6 +193,48 @@
193 GPGKeyMismatchOnServer, gpghandler.retrieveKey, fingerprint)193 GPGKeyMismatchOnServer, gpghandler.retrieveKey, fingerprint)
194 self.assertEqual([], list(gpghandler.localKeys()))194 self.assertEqual([], list(gpghandler.localKeys()))
195195
196 def test_retrieveKey_allows_64bit_key_id(self):
197 # In order to support retrieving keys during signature verification,
198 # retrieveKey temporarily allows 64-bit key IDs.
199 keyserver = self.useFixture(KeyServerTac())
200 fingerprint = "340CA3BB270E2716C9EE0B768E7EB7086C64A8C5"
201 key_id = fingerprint[-16:]
202 shutil.copy2(
203 test_pubkey_file_from_email("foo.bar@canonical.com"),
204 os.path.join(keyserver.root, "0x%s.get" % key_id))
205 gpghandler = getUtility(IGPGHandler)
206 self.assertEqual(
207 fingerprint, gpghandler.retrieveKey(key_id).fingerprint)
208 fingerprints = set(key.fingerprint for key in gpghandler.localKeys())
209 self.assertIn(fingerprint, fingerprints)
210
211 def test_retrieveKey_checks_64bit_key_id(self):
212 # If retrieveKey is given a 64-bit key ID, it checks that it's a
213 # suffix of the fingerprint (which is the best it can do).
214 keyserver = self.useFixture(KeyServerTac())
215 key_id = "0000000000000000"
216 shutil.copy2(
217 test_pubkey_file_from_email("foo.bar@canonical.com"),
218 os.path.join(keyserver.root, "0x%s.get" % key_id))
219 gpghandler = getUtility(IGPGHandler)
220 self.assertRaises(
221 GPGKeyMismatchOnServer, gpghandler.retrieveKey, key_id)
222 self.assertEqual([], list(gpghandler.localKeys()))
223
224 def test_retrieveKey_forbids_32bit_key_id(self):
225 # 32-bit key IDs are just too terrible, and retrieveKey doesn't
226 # support those.
227 keyserver = self.useFixture(KeyServerTac())
228 fingerprint = "340CA3BB270E2716C9EE0B768E7EB7086C64A8C5"
229 key_id = fingerprint[-8:]
230 shutil.copy2(
231 test_pubkey_file_from_email("foo.bar@canonical.com"),
232 os.path.join(keyserver.root, "0x%s.get" % key_id))
233 gpghandler = getUtility(IGPGHandler)
234 self.assertRaises(
235 GPGKeyMismatchOnServer, gpghandler.retrieveKey, key_id)
236 self.assertEqual([], list(gpghandler.localKeys()))
237
196 def test_uploadPublicKey_suppress_in_config(self):238 def test_uploadPublicKey_suppress_in_config(self):
197 self.useFixture(KeyServerTac())239 self.useFixture(KeyServerTac())
198 logger = BufferLogger()240 logger = BufferLogger()