This moves all verify code to an own module and adds support to check
all packet files in the structure for integrity. This is done by parsing
assumptions like packet kind, type, issuer and location etc.
CalledProcessError returns bytes for our invocations, the fix that
decoded bytes of stdout was purely to make the mocked test happy while
breaking the actual usage. Restore the behavior and fix the wrong mocked
data.
pyproject.toml:
Set specific source for `toolscoverage.paths` (as we only provide one
module).
Set `tools.coverage.run.relative_files` to true (although it is still
bug riddled and does not seem to work as advertized in regards to xml
output: https://github.com/nedbat/coveragepy/issues/963,
https://github.com/nedbat/coveragepy/issues/1147).
Set `tool.coverage.xml.output`, so we don't have to provide it on the
commandline.
Makefile:
Do not provide an output file to the coverage xml call, as we do that in
configuration now.
tests/test_sequoia.py:
Add unit tests for `keyring_split()`, `keyring_merge()`,
`packet_split()`, `packet_join()`, `inspect()`, `packet_dump()`,
`packet_dump_field()`, `packet_signature_creation_time()`, and
`latest_certification()`.
This feature allows to import from a piped fd like:
> ./keyringctl import --name foobar <(gpg --export foo@bar)
We achieve this even with hidepid by taking the naive approach of
copying the processes fd source to a tempfile and pass around latter.
Otherwise the PGP trust and revocation status file will not match our
expectations. A single applied revocation to this directory structure
should be checked either way.
We can later create TODO's to have at least two revocations for the keys
that would otherwise be still trusted and then change this value.
Currently only newly added certificates will be checked against the
expectations as existing keys are not all fully compatible with those
assumptions. New certificates are determined by using
$CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
Handle missing or wrong certificate paths in a way that does not lead to
a blocking command by reading from stdin. Instead throw either file not
found errors or expect optional outputs.
When importing a non reduced keyring the certifications were not
deterministic for keys that have multiple certifications per issuer.
This was for example the case for self certifications to extend the
expiry time. Before this commit a random certification could remain the
final one which would lead to a non up to date keyring and a potentially
expired key.
We duplicated resolving usernames and fingerprints to actual keyring
paths in multiple places. De-duplicate the code by using dedicated
functions to do this job.
All modern tooling already reads type hinting from the signatures
instead of the docstring and supports annotating the parameter
accordingly. Remove the duplicated data to avoid out of sync
documentation.
The API makes more sense to return (trusted,revoked) as the caller can
simply derive all certificates by joining the two sets.
To simplify the functions, some code has been replaced to use helper
methods to flatten the nested loops.
By collecting the matching usernames to all fingerprints we are able to
enrich the output of `inspect` to show the usernames next to the
certifications.
This aids initial imports of keyrings that contain multiple certificates
by allowing keyring_split to enforce preserving the filenames. This is
achieved by moving each split keyring into unique sub directories where
the original input filename remains unique.
When we import new packet data, always allow overwrites of the final
packet files. This may happen when importing from multiple files that
provide the same packets, which is fine as they should still yield to
the same results.
This allows an easy to use cli which invokes the export function to get
the keyring and uses the ownertrust and revoke functions to write all
artifacts into a target directory.
This gives more control over the export command that may be useful to
export a single packager to import it into gpg. This will also give more
flexibility to chain this function to the future verify stage.
By default the command exports the whole keyring directory.