[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for
|
From: |
Simon Josefsson |
|
Subject: |
Re: [PATCH] build-aux/announce-gen: Use Release keyrings on Savannah for GnuPG |
|
Date: |
Mon, 14 Mar 2022 11:27:03 +0100 |
"Darshit Shah" <darnir@gnu.org> writes:
> I don't have push access to gnulib, so could you please push it for me?
I ended up pushing the patch below. There are several considerations
here:
* We want the OpenPGP Key identifier to be mentioned in the e-mail, it
provides a strong hash-based coupling between the (hopefully signed)
e-mail and the resulting retrieved OpenPGP key. Searching keys based
on email address, or downloading a URL, introduces trust on some
remote server to offer the correct key. While the OpenPGP key IDs is
user unfriendly, I think this should remain the preferred (and thus
first) suggestion in the list of commands to try because it offers
extra resiliance.
* I settled on suggesting the simple 'gpg --locate-external-key', which
requires a bit more modern GnuPG, see [1] for further discussion.
* A developer may want to put gpg_key_email="" or gpg_keyring_url="" in
cfg.mk to avoid adding these lines to the announcement.
* I moved the default URL from announce-gen to maint.mk, mostly to make
the code to support the previous point easier.
/Simon
[1] https://gitlab.com/libidn/libidn2/-/issues/98#note_635780242
From 2ca890b56420158076f9027ef432311a5645fc2b Mon Sep 17 00:00:00 2001
From: Simon Josefsson <simon@josefsson.org>
Date: Mon, 14 Mar 2022 11:14:50 +0100
Subject: [PATCH] maintainer-makefile: Improve GnuPG announce-gen options.
* top/maint.mk (gpg_key_emil): New variable.
(gpg_keyring_url): New variable.
(announcement): Pass them as --gpg-key-email and
--gpg-keyring-url.
---
ChangeLog | 6 ++++++
top/maint.mk | 9 +++++++++
2 files changed, 15 insertions(+)
diff --git a/ChangeLog b/ChangeLog
index e68ce4546b..1f60d9a44c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,12 @@
(main): Don't suggest 'gpg --keyserver' since the situation with
public key servers is complicated and GnuPG version dependent.
+ maintainer-makefile: Improve GnuPG announce-gen options.
+ * top/maint.mk (gpg_key_emil): New variable.
+ (gpg_keyring_url): New variable.
+ (announcement): Pass them as --gpg-key-email and
+ --gpg-keyring-url.
+
2022-03-13 Ben Pfaff <blp@cs.stanford.edu>
Document Automake 1.14 requirement in NEWS, too, since it had been
diff --git a/top/maint.mk b/top/maint.mk
index 92cef425cf..b9f483bf97 100644
--- a/top/maint.mk
+++ b/top/maint.mk
@@ -1391,6 +1391,11 @@ gpg_key_ID ?=
\
&& git cat-file tag v$(VERSION) \
| $(gpgv) --status-fd 1 --keyring /dev/null - - 2>/dev/null \
| $(AWK) '/^\[GNUPG:\] ERRSIG / {print $$3; exit}')
+gpg_key_email ?= \
+ $$(gpg --list-key --with-colons $(gpg_key_ID) 2>/dev/null \
+ | $(AWK) -F: '/^uid/ {print $$10; exit}' \
+ | $(SED) -n 's/.*<\(.*\)>/\1/p')
+gpg_keyring_url ?=
https://savannah.gnu.org/project/release-gpgkeys.php?group=$(PACKAGE)&download=1
translation_project_ ?= coordinator@translationproject.org
@@ -1421,6 +1426,10 @@ announcement: NEWS ChangeLog $(rel-files)
--prev=$(PREV_VERSION) \
--curr=$(VERSION) \
--gpg-key-id=$(gpg_key_ID) \
+ $$(test -n "$(gpg_key_email)" && \
+ echo --gpg-key-email="$(gpg_key_email)") \
+ $$(test -n "$(gpg_keyring_url)" && \
+ echo --gpg-keyring-url="$(gpg_keyring_url)") \
--srcdir=$(srcdir) \
--news=$(srcdir)/NEWS \
--bootstrap-tools=$(bootstrap-tools) \
--
2.30.2
signature.asc
Description: PGP signature