pld-builder.new: PLD_Builder/gpg.py, PLD_Builder/request_handler.py - impro...

glen glen at pld-linux.org
Thu Jul 17 12:02:54 CEST 2008 

Author: glen                         Date: Thu Jul 17 10:02:54 2008 GMT
Module: pld-builder.new               Tag: HEAD
---- Log message:
- improved error handling when gpg signature check failed

---- Files affected:
pld-builder.new/PLD_Builder:
   gpg.py (1.18 -> 1.19) , request_handler.py (1.38 -> 1.39) 

---- Diffs:

================================================================
Index: pld-builder.new/PLD_Builder/gpg.py
diff -u pld-builder.new/PLD_Builder/gpg.py:1.18 pld-builder.new/PLD_Builder/gpg.py:1.19
--- pld-builder.new/PLD_Builder/gpg.py:1.18	Tue Jul 15 13:26:03 2008
+++ pld-builder.new/PLD_Builder/gpg.py	Thu Jul 17 12:02:49 2008
@@ -14,9 +14,36 @@
         if not d.closed:
             d.close()
 
+def get_keys(buf):
+    """Extract keys from gpg message
+
+    """
+
+    if not os.path.isfile('/usr/bin/gpg'):
+        log.error("missing gnupg binary: /usr/bin/gpg")
+        raise OSError, 'Missing gnupg binary'
+
+    gpg_run = popen2.Popen3("/usr/bin/gpg --batch --no-tty --decrypt", True)
+    try:
+        body = pipeutil.rw_pipe(buf, gpg_run.tochild, gpg_run.fromchild)
+    except OSError, e:
+        __gpg_close([gpg_run.fromchild, gpg_run.childerr, gpg_run.tochild])
+        gpg_run.wait()
+        log.error("gnupg run, does gpg binary exist? : %s" % e)
+        raise
+
+    rx = re.compile("^gpg: Signature made .*using [DR]SA key ID (.+)")
+    keys = []
+    for l in gpg_run.childerr.xreadlines():
+        m = rx.match(l)
+        if m:
+            keys.append(m.group(1))
+
+    return keys
+
 def verify_sig(buf):
     """Check signature.
-    
+
     Given email as file-like object, return (signer-emails, signed-body).
     where signer-emails is lists of strings, and signed-body is StringIO
     object.
@@ -32,7 +59,7 @@
     except OSError, e:
         __gpg_close([gpg_run.fromchild, gpg_run.childerr, gpg_run.tochild])
         gpg_run.wait()
-        log.error("gnupg signing failed, does gpg binary exist? : %s" % e)
+        log.error("gnupg run failed, does gpg binary exist? : %s" % e)
         raise
 
     rx = re.compile("^gpg: (Good signature from|                aka) .*<([^>]+)>")

================================================================
Index: pld-builder.new/PLD_Builder/request_handler.py
diff -u pld-builder.new/PLD_Builder/request_handler.py:1.38 pld-builder.new/PLD_Builder/request_handler.py:1.39
--- pld-builder.new/PLD_Builder/request_handler.py:1.38	Sun May 20 09:39:25 2007
+++ pld-builder.new/PLD_Builder/request_handler.py	Thu Jul 17 12:02:49 2008
@@ -143,8 +143,10 @@
     user = acl.user_by_email(em)
     if user == None:
         # FIXME: security email here
-        log.alert("invalid signature, or not in acl %s" % em)
+        sio.seek(0); keys = gpg.get_keys(sio)
+        log.alert("Invalid signature, missing/untrusted key, or '%s' not in acl. Keys in gpg batch: '%s'" % (em, keys))
         return False
+
     acl.set_current_user(user)
     status.push("email from %s" % user.login)
     r = request.parse_request(body)
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/pld-builder.new/PLD_Builder/gpg.py?r1=1.18&r2=1.19&f=u
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/pld-builder.new/PLD_Builder/request_handler.py?r1=1.38&r2=1.39&f=u

More information about the pld-cvs-commit mailing list