+ # Defaults for keyserver and keyring
+ if not keyserver:
+ keyserver = Cnf["Dinstall::KeyServer"]
+ if not keyring:
+ keyring = Cnf.ValueList("Dinstall::GPGKeyring")[0]
+
+ # Ensure the filename contains no shell meta-characters or other badness
+ if not re_taint_free.match(filename):
+ return "%s: tainted filename" % (filename)
+
+ # Invoke gpgv on the file
+ status_read, status_write = os.pipe();
+ cmd = "gpgv --status-fd %s --keyring /dev/null %s" % (status_write, filename)
+ (_, status, _) = gpgv_get_status_output(cmd, status_read, status_write)
+
+ # Process the status-fd output
+ (keywords, internal_error) = process_gpgv_output(status)
+ if internal_error:
+ return internal_error
+
+ if not keywords.has_key("NO_PUBKEY"):
+ return "didn't find expected NO_PUBKEY in gpgv status-fd output"
+
+ fingerprint = keywords["NO_PUBKEY"][0]
+ # XXX - gpg sucks. You can't use --secret-keyring=/dev/null as
+ # it'll try to create a lockfile in /dev. A better solution might
+ # be a tempfile or something.
+ cmd = "gpg --no-default-keyring --secret-keyring=%s --no-options" \
+ % (Cnf["Dinstall::SigningKeyring"])
+ cmd += " --keyring %s --keyserver %s --recv-key %s" \
+ % (keyring, keyserver, fingerprint)
+ (result, output) = commands.getstatusoutput(cmd)
+ if (result != 0):
+ return "'%s' failed with exit code %s" % (cmd, result)
+
+ return ""
+
+################################################################################
+
+def gpg_keyring_args(keyrings=None):
+ if not keyrings:
+ keyrings = Cnf.ValueList("Dinstall::GPGKeyring")
+
+ return " ".join(["--keyring %s" % x for x in keyrings])
+
+################################################################################
+
+def check_signature (sig_filename, reject, data_filename="", keyrings=None, autofetch=None):