tools/secretstore: fix gpg encryption for expired key

We also set --trust-model=always, as we explicitly ship GPG fingerprints, so there's no need to rely on GPG's web of trust shenanigans. Change-Id: If2976130315c044f1d1727c61a6f6d489c876a52
2021-06-06 12:53:11 +00:00 · 2021-06-06 12:53:11 +00:00 · f97c9688d5
parent 4e534cc03c
commit f97c9688d5
1 changed files with 14 additions and 2 deletions
--- a/tools/secretstore.py
+++ b/tools/secretstore.py
@ -49,6 +49,10 @@ keys = [
    "0879F9FCA1C836677BB808C870FD60197E195C26", # implr
 ]

+# Currently, Patryk's GPG key is expired. This hacks around that by pretending
+# it's January 2021.
+# TODO(q3k/patryk): remove this once Patryk updates his key.
+systime = '20210101T000000'

 _logger_name = __name__
 if _logger_name == '__main__':
@ -61,7 +65,15 @@ class CLIException(Exception):


 def encrypt(src, dst):
-    cmd = ['gpg' , '--encrypt', '--armor', '--batch', '--yes', '--output', dst]
+    cmd = [
+        'gpg' , 
+        '--encrypt',
+        '--faked-system-time', systime,
+        '--trust-model', 'always',
+        '--armor',
+        '--batch', '--yes',
+        '--output', dst,
+    ]
    for k in keys:
        cmd.append('--recipient')
        cmd.append(k)
@ -80,7 +92,7 @@ def _encryption_key_for_fingerprint(fp):
    Returns the encryption key ID for a given GPG fingerprint (eg. one from the
    'keys' list.
    """
-    cmd = ['gpg', '-k', '--keyid-format', 'long', fp]
+    cmd = ['gpg', '-k', '--faked-system-time', systime, '--keyid-format', 'long', fp]
    res = subprocess.check_output(cmd).decode()

    # Sample output: