Source code for libka.utils.verify_signature

#!/usr/bin/python3
# -*- coding: utf-8 -*-
# pylint: disable=line-too-long
# kate: space-indent on; indent-width 4; replace-tabs on; indent-mode python; remove-trailing-space modified;
# vim: expandtab ts=4
# pylint: enable=line-too-long

############################################################################
#   Copyright © 2021 José Manuel Santamaría Lema <panfaust@gmail.com>      #
#                                                                          #
#   This program is free software; you can redistribute it and/or modify   #
#   it under the terms of the GNU General Public License as published by   #
#   the Free Software Foundation; either version 2 of the License, or      #
#   (at your option) any later version.                                    #
############################################################################

"""
This module provides the `verify_signature` function, useful to check upstream tarball signatures.
"""

import os
import sys
import tempfile
import subprocess

from libka.ka_print import ka_print_good_stuff
from libka.ka_print import ka_print_error

#The code from this function is inspired by lib/Devscripts/Uscan/Keyring.pm from devscripts
#which is what uscan uses to verify the upstream tarballs after downloading them, see:
#https://salsa.debian.org/debian/devscripts/-/blob/master/lib/Devscripts/Uscan/Keyring.pm


def verify_signature(file_name, sig_file_name):
    """
    This function verifies the signature of a file with debian/upstream/signing-key.asc
    """
    #Print the file names to verify
    ka_print_good_stuff("Verifying: %s %s" % (file_name, sig_file_name))
    sys.stdout.flush()
    #Find out upstream signing key file
    keyring_file_names = [
        #the current file name being used in most packages
        "debian/upstream/signing-key.asc",
        #obsolete, but supported
        "debian/upstream/signing-key.pgp",
        "debian/upstream-signing-key.pgp"]
    for keyring_file_name in keyring_file_names:
        if os.path.isfile(keyring_file_name):
            break
    #Find out the gpg and gpgv binaries
    gpg_bins = ['/usr/bin/gpg2', '/usr/bin/gpg']
    gpgv_bins = ['/usr/bin/gpgv2', '/usr/bin/gpgv']
    for gpg_bin in gpg_bins:
        if os.path.exists(gpg_bin):
            break
    for gpgv_bin in gpgv_bins:
        if os.path.exists(gpgv_bin):
            break
    #Create a binary keyring with the plain text keyring file selected above
    temp_dir = tempfile.TemporaryDirectory()
    bin_keyring = os.path.join(temp_dir.name, "trustedkeys.gpg")
    try:
        subprocess.check_call([gpg_bin,
                               "--homedir", temp_dir.name,
                               "--no-options", "-q", "--batch", "--no-default-keyring",
                               "--output", bin_keyring,
                               "--dearmor", keyring_file_name])
    except subprocess.CalledProcessError as exception:
        ka_print_error("Upstream signature verification failed")
        ka_print_error(str(exception))
        sys.exit(1)
    #Verify the signature using the binary keyring generated above
    try:
        subprocess.check_call([gpgv_bin,
                               "--homedir", temp_dir.name,
                               "--keyring", bin_keyring,
                               sig_file_name, file_name])
    except subprocess.CalledProcessError as exception:
        ka_print_error("Upstream signature verification failed")
        ka_print_error(str(exception))
        sys.exit(1)