Bug 360459

Summary:	repoman should check for gpg key validity before doing anything else
Product:	Portage Development	Reporter:	SpanKY <vapier>
Component:	Repoman	Assignee:	Portage team <dev-portage>
Status:	RESOLVED DUPLICATE
Severity:	normal	CC:	pva, williamh, yac
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=298605 https://bugs.gentoo.org/show_bug.cgi?id=473926
Whiteboard:
Package list:		Runtime testing required:	---

Description SpanKY gentoo-dev

2011-03-25 18:17:26 UTC

when someone's gpg key expires, repoman will make all the normal commits, and then the key issue will be noticed only when the manifest is regenerated.  this leaves a window where the changes have been pushed up but not the manifest, and it could take some time for the dev to fix things.

similarly, when a password is required, the user is prompted for it after the initial commit.  we can really only handle this if people are using gpg-agent, as prompting for the key otherwise wont cache the result for the 2nd usage.

so, if the user has PORTAGE_GPG_KEY set, repoman should, before making any commits, do the following:
 - verify the key is still valid (not expired)
 - if gpg-agent is available (look for env GPG_AGENT_INFO), attempt to use the key so the password prompt comes up before anything is committed

Comment 1 SpanKY gentoo-dev

2011-03-25 18:20:16 UTC

and if we can verify gpg-agent is active, make sure that the current signing settings will not result in a SHA1 digest.  not sure if we could find this out just by running `gpg` itself though and asking for its current settings ...

Comment 2 SpanKY gentoo-dev

2011-03-25 18:35:00 UTC

once the commit has been done, it'd be good if repoman also checked for the expiration of the key.  if it is coming up soon (like 1 week or something), issue a warning that their key is going to expire soon.

Comment 3 Jan Matějka (RETIRED) gentoo-dev

2013-06-27 19:06:08 UTC


*** This bug has been marked as a duplicate of bug 298605 ***