This moves all verify code to an own module and adds support to check
all packet files in the structure for integrity. This is done by parsing
assumptions like packet kind, type, issuer and location etc.
CalledProcessError returns bytes for our invocations, the fix that
decoded bytes of stdout was purely to make the mocked test happy while
breaking the actual usage. Restore the behavior and fix the wrong mocked
data.
This feature allows to import from a piped fd like:
> ./keyringctl import --name foobar <(gpg --export foo@bar)
We achieve this even with hidepid by taking the naive approach of
copying the processes fd source to a tempfile and pass around latter.
Otherwise the PGP trust and revocation status file will not match our
expectations. A single applied revocation to this directory structure
should be checked either way.
We can later create TODO's to have at least two revocations for the keys
that would otherwise be still trusted and then change this value.
Currently only newly added certificates will be checked against the
expectations as existing keys are not all fully compatible with those
assumptions. New certificates are determined by using
$CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
Handle missing or wrong certificate paths in a way that does not lead to
a blocking command by reading from stdin. Instead throw either file not
found errors or expect optional outputs.
