Re: popularity-contest and gpg

To: debian-popcon@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: popularity-contest and gpg
From: Peter Pentchev <roam@ringlet.net>
Date: Fri, 28 Mar 2025 00:44:47 +0200
Message-id: <[🔎] Z-XU38jpP1ymYBLw@straylight.m.ringlet.net>
In-reply-to: <[🔎] Z-XHL5OEr265-VNT@seventeen>
References: <[🔎] Z-WcuEGflM5LlHG1@seventeen> <[🔎] Z-W9h8WGJorRpn5I@straylight.m.ringlet.net> <[🔎] Z-XBqhrsAxRmspZu@straylight.m.ringlet.net> <[🔎] Z-XHL5OEr265-VNT@seventeen>

On Thu, Mar 27, 2025 at 10:46:23PM +0100, Bill Allombert wrote:
> On Thu, Mar 27, 2025 at 11:22:50PM +0200, Peter Pentchev wrote:
> > > I am among the people who have moved towards the Sequoia family of
> > > cryptographic tools; in particular, sqop (a Sequoia implementation of
> > > the SOP command-line interface) seems to work:
> > > 
> > >     [roam@straylight ~]$ echo canttouchthis | sqop encrypt /usr/share/popularity-contest/debian-popcon.gpg | pgpdump
> > >     New: Public-Key Encrypted Session Key Packet(tag 1)(524 bytes)
> > >             New version(3)
> > >             Key ID - 0x4E9024B327CBD937
> > >             Pub alg - RSA Encrypt or Sign(pub 1)
> > >             RSA m^e mod n(4095 bits) - ...
> > >                     -> m = sym alg(1 byte) + checksum(2 bytes) + PKCS-1 block type 02
> > >     New: Symmetrically Encrypted and MDC Packet(tag 18)(63 bytes)
> > >             Ver 1
> > >             Encrypted data [sym alg is specified in pub-key encrypted session key]
> > >                     (plain text + MDC SHA1(20 bytes))
> > >     [roam@straylight ~]$
> > > 
> > > Hope that helps!
> > 
> > Sent too fast. What I really intended to suggest was to support any SOP
> > implementation (the command-line interface is the same, that's the point) and
> > possibly prefer one as default. See e.g. dpkg-buildpackage for
> > an example (and a great big thanks, Guillem! the SOP support there made
> > unattended automated signing much easier!).
> 
> Could you provide a patch for supporting that ?
> (the file is /etc/cron.daily/popularity-contest)

Here you go. Let me know if you'd like me to rename the variables to
uppercase, change the indentation, or change anything else to make it
easier for you to review.

(the patch itself is much clearer if you apply it and then run
 `diff -b` against the original)

G'luck,
Peter

-- 
Peter Pentchev  roam@ringlet.net roam@debian.org peter@morpheusly.com
PGP key:        https://www.ringlet.net/roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13

From 94e4b3314e6be7c1599a4ce6fd160f72a7ac3a22 Mon Sep 17 00:00:00 2001
From: Peter Pentchev <roam@debian.org>
Date: Fri, 28 Mar 2025 00:39:48 +0200
Subject: [PATCH] Also support sqop, rsop, and gosop for OpenPGP encryption

---
 debian/cron.daily | 64 ++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 58 insertions(+), 6 deletions(-)

diff --git a/debian/cron.daily b/debian/cron.daily
index 26a3693..68b1f59 100644
--- a/debian/cron.daily
+++ b/debian/cron.daily
@@ -132,22 +132,74 @@ do_sendmail()
 
 /usr/sbin/popularity-contest --su-nobody > $POPCON
 
-GPG=/usr/bin/gpg
+unset opgp_prog opgp_mode
+for candidate in \
+    /usr/bin/sqop:sop \
+    /usr/bin/gosop:sop \
+    /usr/bin/rsop:sop \
+    /usr/bin/gpg:gnupg \
+    ; do
+  cand_prog="${candidate%%:*}"
+  cand_mode="${candidate#*:}"
+
+  unset okay
+  if [ -f "$cand_prog" ] && [ -x "$cand_prog" ]; then
+    case "$cand_mode" in
+      gnupg)
+        if "$cand_prog" --dump-options | grep -Fqe '--no-default-keyring'; then
+          okay=1
+        fi
+        ;;
+
+      sop)
+        if "$cand_prog" list-profiles encrypt | grep -Fqe 'rfc4880'; then
+          okay=1
+        fi
+        ;;
+
+      *)
+      echo "Internal error: unexpected OpenPGP mode '$opgp_mode'" 1>&2
+      exit 1
+      ;;
+    esac
+  fi
 
-if [ "$ENCRYPT" = "yes" ] && ! [ -x "$GPG" ]; then
-  logger -t popularity-contest "encryption required but gpg is not available."
-  echo "popularity-contest: encryption required but gpg is not available." 2>&1
+  if [ -n "$okay" ]; then
+    opgp_prog="$cand_prog"
+    opgp_mode="$cand_mode"
+    break
+  fi
+done
+
+if [ "$ENCRYPT" = "yes" ] && [ -z "$opgp_prog" ]; then
+  logger -t popularity-contest "encryption required but no OpenPGP tool is available."
+  echo "popularity-contest: encryption required but no OpenPGP tool is available." 2>&1
   exit 1
 fi
 
-if [ -x "$GPG" ] && [ "$ENCRYPT" = "maybe" ] || [ "$ENCRYPT" = "yes" ]; then
+if [ -n "$opgp_prog" ] && [ "$ENCRYPT" = "maybe" ] || [ "$ENCRYPT" = "yes" ]; then
   POPCONGPG="$POPCON.gpg"
   rm -f "$POPCONGPG"
+
+  case "$opgp_mode" in
+    gnupg)
   GPGHOME=`mktemp -d`
-  $GPG --batch --no-options --no-default-keyring --trust-model=always \
+      $opgp_prog --batch --no-options --no-default-keyring --trust-model=always \
        --homedir "$GPGHOME" --keyring $KEYRING --quiet \
        --armor -o "$POPCONGPG" -r $POPCONKEY --encrypt "$POPCON"
   rm -rf "$GPGHOME"
+      ;;
+
+    sop)
+      "$opgp_prog" encrypt "$KEYRING" < "$POPCON" > "$POPCONGPG"
+      ;;
+
+    *)
+      echo "Internal error: unexpected OpenPGP mode '$opgp_mode'" 1>&2
+      exit 1
+      ;;
+  esac
+
   POPCON="$POPCONGPG"
 fi
 
-- 
2.47.2

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: popularity-contest and gpg
  - From: Peter Pentchev <roam@ringlet.net>

References:
- popularity-contest and gpg
  - From: Bill Allombert <ballombe@debian.org>
- Re: popularity-contest and gpg
  - From: Peter Pentchev <roam@ringlet.net>
- Re: popularity-contest and gpg
  - From: Peter Pentchev <roam@ringlet.net>
- Re: popularity-contest and gpg
  - From: Bill Allombert <ballombe@debian.org>

Prev by Date: Re: popularity-contest and gpg
Next by Date: Re: popularity-contest and gpg
Previous by thread: Re: popularity-contest and gpg
Next by thread: Re: popularity-contest and gpg
Index(es):
- Date
- Thread