4
0
Fork 2
mirror of https://gerrit.hackerspace.pl/hscloud synced 2024-10-15 05:57:46 +00:00

tools/secretstore: fix gpg encryption for expired key

We also set --trust-model=always, as we explicitly ship GPG
fingerprints, so there's no need to rely on GPG's web of trust
shenanigans.

Change-Id: If2976130315c044f1d1727c61a6f6d489c876a52
This commit is contained in:
q3k 2021-06-06 12:53:11 +00:00
parent 4e534cc03c
commit f97c9688d5

View file

@ -49,6 +49,10 @@ keys = [
"0879F9FCA1C836677BB808C870FD60197E195C26", # implr
]
# Currently, Patryk's GPG key is expired. This hacks around that by pretending
# it's January 2021.
# TODO(q3k/patryk): remove this once Patryk updates his key.
systime = '20210101T000000'
_logger_name = __name__
if _logger_name == '__main__':
@ -61,7 +65,15 @@ class CLIException(Exception):
def encrypt(src, dst):
cmd = ['gpg' , '--encrypt', '--armor', '--batch', '--yes', '--output', dst]
cmd = [
'gpg' ,
'--encrypt',
'--faked-system-time', systime,
'--trust-model', 'always',
'--armor',
'--batch', '--yes',
'--output', dst,
]
for k in keys:
cmd.append('--recipient')
cmd.append(k)
@ -80,7 +92,7 @@ def _encryption_key_for_fingerprint(fp):
Returns the encryption key ID for a given GPG fingerprint (eg. one from the
'keys' list.
"""
cmd = ['gpg', '-k', '--keyid-format', 'long', fp]
cmd = ['gpg', '-k', '--faked-system-time', systime, '--keyid-format', 'long', fp]
res = subprocess.check_output(cmd).decode()
# Sample output: