[dak/master] generate-releases: add option to specify GnuPG homedir
In GnuPG2 the '--secret-keyring' option is deprecated and we need to
specify the homedir instead. A new option to specify a passphrase
file (for keys on smartcards) is also included.
Also stops using `os.system` in favor of `subprocess.check_call`.
---
dak/generate_releases.py | 37 ++++++++++++++++++++++++-------------
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/dak/generate_releases.py b/dak/generate_releases.py
index 6b8ea752..4b6e23cd 100755
--- a/dak/generate_releases.py
+++ b/dak/generate_releases.py
@@ -81,12 +81,20 @@ SUITE can be a space separated list, e.g.
def sign_release_dir(suite, dirname):
cnf = Config()
- if cnf.has_key("Dinstall::SigningKeyring"):
- keyring = "--secret-keyring \"%s\"" % cnf["Dinstall::SigningKeyring"]
- if cnf.has_key("Dinstall::SigningPubKeyring"):
- keyring += " --keyring \"%s\"" % cnf["Dinstall::SigningPubKeyring"]
-
- arguments = "--no-options --batch --no-tty --armour --personal-digest-preferences=SHA256"
+ if 'Dinstall::SigningKeyring' in cnf or 'Dinstall::SigningHomedir' in cnf:
+ arguments = ['/usr/bin/gpg',
+ '--no-options', '--no-tty', '--batch', '--armour',
+ '--personal-digest-preferences', 'SHA256',
+ ]
+ if 'Dinstall::SigningHomedir' in cnf:
+ arguments.extend(['--homedir', cnf['Dinstall::SigningHomedir']])
+ if 'Dinstall::SigningPassphraseFile' in cnf:
+ arguments.extend(['--pinentry-mode', 'loopback',
+ '--passphrase-file', cnf['Dinstall::SigningPassphraseFile']])
+ if 'Dinstall::SigningKeyring' in cnf:
+ arguments.extend(['--secret-keyring', cnf['Dinstall::SigningKeyring']])
+ if 'Dinstall::SigningPubKeyring' in cnf:
+ arguments.extend(['--keyring', cnf['Dinstall::SigningKeyring']])
relname = os.path.join(dirname, 'Release')
@@ -98,14 +106,17 @@ def sign_release_dir(suite, dirname):
if os.path.exists(inlinedest):
os.unlink(inlinedest)
- defkeyid=""
for keyid in suite.signingkeys or []:
- defkeyid += "--local-user %s " % keyid
-
- os.system("gpg %s %s %s --detach-sign <%s >>%s" %
- (keyring, defkeyid, arguments, relname, dest))
- os.system("gpg %s %s %s --clearsign <%s >>%s" %
- (keyring, defkeyid, arguments, relname, inlinedest))
+ arguments.extend(['--local-user', keyid])
+
+ with open(relname, 'r') as stdin:
+ with open(dest, 'w') as stdout:
+ arguments_sign = arguments + ['--detach-sign']
+ subprocess.check_call(arguments_sign, stdin=stdin, stdout=stdout)
+ stdin.seek(0)
+ with open(inlinedest, 'w') as stdout:
+ arguments_sign = arguments + ['--clearsign']
+ subprocess.check_call(arguments_sign, stdin=stdin, stdout=stdout)
class XzFile(object):
def __init__(self, filename, mode='r'):
--
2.11.0
Reply to: