From: Anthony Towns <aj@azure.humbug.org.au>
Date: Sat, 10 Mar 2007 15:24:49 +0000 (+1000)
Subject: Make GPGKeyring a list of keyrings; drop PGPKeyring.
X-Git-Url: https://git.decadent.org.uk/gitweb/?p=dak.git;a=commitdiff_plain;h=6c92853af8a7ca65fad19cb0f1a0ffaecec48fb7

Make GPGKeyring a list of keyrings; drop PGPKeyring.
This allows for more than two keyrings to be used.
---

diff --git a/config/debian-non-US/dak.conf b/config/debian-non-US/dak.conf
index 2c14c7db..be2527e5 100644
--- a/config/debian-non-US/dak.conf
+++ b/config/debian-non-US/dak.conf
@@ -1,7 +1,9 @@
 Dinstall
 {
-   PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
-   GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+   GPGKeyring {
+      "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+      "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
+   };
    SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg";
    SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg";
    SigningKeyIds "1DB114E0";
diff --git a/config/debian-security/dak.conf b/config/debian-security/dak.conf
index b146c637..0af66820 100644
--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
@@ -1,7 +1,9 @@
 Dinstall
 {
-   PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
-   GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+   GPGKeyring {
+      "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+      "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
+   };
    SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg";
    SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg";
    SigningKeyIds "2D230C5F";
diff --git a/config/debian/dak.conf b/config/debian/dak.conf
index 047cf269..50390f5b 100644
--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
@@ -1,7 +1,9 @@
 Dinstall
 {
-   PGPKeyring "/srv/keyring.debian.org/keyrings/debian-keyring.pgp";
-   GPGKeyring "/srv/keyring.debian.org/keyrings/debian-keyring.gpg";
+   GPGKeyrings {
+      "/srv/keyring.debian.org/keyrings/debian-keyring.gpg"; 
+      "/srv/keyring.debian.org/keyrings/debian-keyring.pgp";
+   };
    SigningKeyring "/srv/ftp.debian.org/s3kr1t/dot-gnupg/secring.gpg";
    SigningPubKeyring "/srv/ftp.debian.org/s3kr1t/dot-gnupg/pubring.gpg";
    SigningKeyIds "6070D3A1";
diff --git a/dak/import_archive.py b/dak/import_archive.py
index f064b4ae..34dc61bc 100755
--- a/dak/import_archive.py
+++ b/dak/import_archive.py
@@ -98,8 +98,8 @@ def check_signature (filename):
         return None
 
     status_read, status_write = os.pipe()
-    cmd = "gpgv --status-fd %s --keyring %s --keyring %s %s" \
-          % (status_write, Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"], filename)
+    cmd = "gpgv --status-fd %s %s %s" \
+          % (status_write, daklib.utils.gpg_keyring_args(), filename)
     (output, status, exit_status) = daklib.utils.gpgv_get_status_output(cmd, status_read, status_write)
 
     # Process the status-fd output
diff --git a/dak/import_ldap_fingerprints.py b/dak/import_ldap_fingerprints.py
index 4541c331..90e4108f 100755
--- a/dak/import_ldap_fingerprints.py
+++ b/dak/import_ldap_fingerprints.py
@@ -136,9 +136,8 @@ SELECT f.fingerprint, f.id, u.uid FROM fingerprint f, uid u WHERE f.uid = u.id
     q = projectB.query("SELECT fingerprint, id FROM fingerprint WHERE uid is null")
     for i in q.getresult():
         (fingerprint, fingerprint_id) = i
-        cmd = "gpg --no-default-keyring --keyring=%s --keyring=%s --fingerprint %s" \
-              % (Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"],
-                 fingerprint)
+        cmd = "gpg --no-default-keyring %s --fingerprint %s" \
+              % (gpg_keyring_args(), fingerprint)
         (result, output) = commands.getstatusoutput(cmd)
         if result == 0:
             m = re_gpg_fingerprint.search(output)
@@ -156,9 +155,8 @@ SELECT f.fingerprint, f.id, u.uid FROM fingerprint f, uid u WHERE f.uid = u.id
             extra_keyrings = ""
             for keyring in Cnf.ValueList("Import-LDAP-Fingerprints::ExtraKeyrings"):
                 extra_keyrings += " --keyring=%s" % (keyring)
-            cmd = "gpg --keyring=%s --keyring=%s %s --list-key %s" \
-                  % (Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"],
-                     extra_keyrings, fingerprint)
+            cmd = "gpg %s %s --list-key %s" \
+                  % (gpg_keyring_args(), extra_keyrings, fingerprint)
             (result, output) = commands.getstatusoutput(cmd)
             if result != 0:
                 cmd = "gpg --keyserver=%s --allow-non-selfsigned-uid --recv-key %s" % (Cnf["Import-LDAP-Fingerprints::KeyServer"], fingerprint)
diff --git a/daklib/utils.py b/daklib/utils.py
index 4e048d3c..9758fc97 100644
--- a/daklib/utils.py
+++ b/daklib/utils.py
@@ -904,7 +904,7 @@ on error."""
     if not keyserver:
         keyserver = Cnf["Dinstall::KeyServer"]
     if not keyring:
-        keyring = Cnf["Dinstall::GPGKeyring"]
+        keyring = Cnf.ValueList("Dinstall::GPGKeyring")[0]
 
     # Ensure the filename contains no shell meta-characters or other badness
     if not re_taint_free.match(filename):
@@ -939,6 +939,14 @@ on error."""
 
 ################################################################################
 
+def gpg_keyring_args(keyrings=None)
+    if not keyrings:
+        keyrings = Cnf.ValueList("Dinstall::GPGKeyring")
+
+    return " ".join(["--keyring %s" % x for x in keyrings])
+
+################################################################################
+
 def check_signature (sig_filename, reject, data_filename="", keyrings=None, autofetch=None):
     """Check the signature of a file and return the fingerprint if the
 signature is valid or 'None' if it's not.  The first argument is the
@@ -963,7 +971,7 @@ used."""
         return None
 
     if not keyrings:
-        keyrings = (Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"])
+        keyrings = Cnf.ValueList("Dinstall::GPGKeyring")
 
     # Autofetch the signing key if that's enabled
     if autofetch == None:
@@ -976,10 +984,9 @@ used."""
 
     # Build the command line
     status_read, status_write = os.pipe(); 
-    cmd = "gpgv --status-fd %s" % (status_write)
-    for keyring in keyrings:
-        cmd += " --keyring %s" % (keyring)
-    cmd += " %s %s" % (sig_filename, data_filename)
+    cmd = "gpgv --status-fd %s %s %s %s" % (
+        status_write, gpg_keyring_args(keyrings), sig_filename, data_filename)
+
     # Invoke gpgv on the file
     (output, status, exit_status) = gpgv_get_status_output(cmd, status_read, status_write)
 
diff --git a/docs/README.config b/docs/README.config
index 29749f65..c0e831f3 100644
--- a/docs/README.config
+++ b/docs/README.config
@@ -200,8 +200,10 @@ Mandatory.  List of dinstall options, e.g.:
 
 | Dinstall
 | {
-|    PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
-|    GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+|    GPGKeyring {
+|       "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+|       "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
+|    };
 |    SigningKeyring "/org/ftp.debian.org/s3kr1t/dot-gnupg/secring.gpg";
 |    SendmailCommand "/usr/sbin/sendmail -odq -oi -t";
 |    MyEmailAddress "Debian Installer <installer@ftp-master.debian.org>";
@@ -222,8 +224,8 @@ Mandatory.  List of dinstall options, e.g.:
 |    };
 | };
 
-PGPKeyring and GPGKeyring (required): filenames of the PGP and GnuPG
-keyrings to be used by dak respectively.
+GPGKeyring (required): filenames of the PGP and GnuPG
+keyrings to be used by dak.
 
 SigningKeyring (optional): this is the private keyring used by 'dak
 generate-releases'.