| 1 | #!/usr/bin/env python |
|---|
| 2 | |
|---|
| 3 | # Less terrible, ugly hack of a script than getsigs.pl, but similar. Used to |
|---|
| 4 | # verify the signatures on the release tarballs and produce the list of who |
|---|
| 5 | # signed them in the format we use for the announcements. |
|---|
| 6 | # |
|---|
| 7 | # To use just run it in the directory with the signatures and tarballs and |
|---|
| 8 | # pass the version of subversion you want to check. It assumes gpg is on |
|---|
| 9 | # your path, if it isn't you should fix that. :D |
|---|
| 10 | # |
|---|
| 11 | # Script will die if any gpg process returns an error. |
|---|
| 12 | # |
|---|
| 13 | # Because I hate perl... |
|---|
| 14 | |
|---|
| 15 | import glob, subprocess, shutil, sys, re |
|---|
| 16 | |
|---|
| 17 | key_start = '-----BEGIN PGP SIGNATURE-----\n' |
|---|
| 18 | sig_pattern = re.compile(r'^gpg: Signature made .*? using \w+ key ID (\w+)') |
|---|
| 19 | fp_pattern = re.compile(r'^pub\s+(\w+\/\w+)[^\n]*\n\s+Key\sfingerprint\s=((\s+[0-9A-F]{4}){10})\nuid\s+([^<\(]+)\s') |
|---|
| 20 | |
|---|
| 21 | |
|---|
| 22 | def grab_sig_ids(): |
|---|
| 23 | good_sigs = {} |
|---|
| 24 | |
|---|
| 25 | for filename in glob.glob('subversion-*.asc'): |
|---|
| 26 | shutil.copyfile(filename, '%s.bak' % filename) |
|---|
| 27 | text = open(filename).read() |
|---|
| 28 | keys = text.split(key_start) |
|---|
| 29 | |
|---|
| 30 | for key in keys[1:]: |
|---|
| 31 | open(filename, 'w').write(key_start + key) |
|---|
| 32 | gpg = subprocess.Popen(['gpg', '--logger-fd', '1', |
|---|
| 33 | '--verify', filename], |
|---|
| 34 | stdout=subprocess.PIPE, |
|---|
| 35 | stderr=subprocess.STDOUT) |
|---|
| 36 | |
|---|
| 37 | rc = gpg.wait() |
|---|
| 38 | output = gpg.stdout.read() |
|---|
| 39 | if rc: |
|---|
| 40 | # gpg choked, die with an error |
|---|
| 41 | print(output) |
|---|
| 42 | sys.stderr.write("BAD SIGNATURE in %s\n" % filename) |
|---|
| 43 | shutil.move('%s.bak' % filename, filename) |
|---|
| 44 | sys.exit(1) |
|---|
| 45 | |
|---|
| 46 | for line in output.split('\n'): |
|---|
| 47 | match = sig_pattern.match(line) |
|---|
| 48 | if match: |
|---|
| 49 | key_id = match.groups()[0] |
|---|
| 50 | good_sigs[key_id] = True |
|---|
| 51 | |
|---|
| 52 | shutil.move('%s.bak' % filename, filename) |
|---|
| 53 | |
|---|
| 54 | return good_sigs |
|---|
| 55 | |
|---|
| 56 | |
|---|
| 57 | def generate_output(good_sigs): |
|---|
| 58 | for id in good_sigs.keys(): |
|---|
| 59 | gpg = subprocess.Popen(['gpg', '--fingerprint', id], |
|---|
| 60 | stdout=subprocess.PIPE, stderr=subprocess.STDOUT) |
|---|
| 61 | rc = gpg.wait() |
|---|
| 62 | gpg_output = gpg.stdout.read() |
|---|
| 63 | if rc: |
|---|
| 64 | print(gpg_output) |
|---|
| 65 | sys.stderr.write("UNABLE TO GET FINGERPRINT FOR %s" % id) |
|---|
| 66 | sys.exit(1) |
|---|
| 67 | |
|---|
| 68 | fp = fp_pattern.match(gpg_output).groups() |
|---|
| 69 | print(" %s [%s] with fingerprint:" % (fp[3], fp[0])) |
|---|
| 70 | print(" %s" % fp[1]) |
|---|
| 71 | |
|---|
| 72 | |
|---|
| 73 | if __name__ == '__main__': |
|---|
| 74 | if len(sys.argv) < 2: |
|---|
| 75 | print("Give me a version number!") |
|---|
| 76 | sys.exit(1) |
|---|
| 77 | |
|---|
| 78 | generate_output(grab_sig_ids()) |
|---|
