[Libguestfs] [PATCH 2/3] builder: trust the imported keys

In every SigChecker, trust by default the keys imported. This should make gpg happier when using the keys later, used only when validating the signatures of index files. --- builder/sigchecker.ml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/builder/sigchecker.ml b/builder/sigchecker.ml index a1a4220..b54977f 100644 --- a/builder/sigchecker.ml +++ b/builder/sigchecker.ml @@ -33,7 +33,7 @@ type t = { } (* Import the specified key file. *) -let import_keyfile ~gpg ~gpghome ~verbose keyfile = +let import_keyfile ~gpg ~gpghome ~verbose ?(trust = true) keyfile = let status_file = Filename.temp_file "vbstat" ".txt" in unlink_on_exit status_file; let cmd = sprintf "%s --homedir %s --status-file %s --import %s%s" @@ -45,14 +45,25 @@ let import_keyfile ~gpg ~gpghome ~verbose keyfile = error (f_"could not import public key\nUse the '-v' option and look for earlier error messages."); let status = read_whole_file status_file in let status = string_nsplit "\n" status in + let key_id = ref "" in let fingerprint = ref "" in List.iter ( fun line -> let line = string_nsplit " " line in match line with | "[GNUPG:]" :: "IMPORT_OK" :: _ :: fp :: _ -> fingerprint := fp + | "[GNUPG:]" :: "IMPORTED" :: key :: _ -> key_id := key | _ -> () ) status; + if trust then ( + let cmd = sprintf "%s --homedir %s --trusted-key %s --list-keys%s" + gpg gpghome (quote !key_id) + (if verbose then "" else " >/dev/null 2>&1") in + if verbose then printf "%s\n%!" cmd; + let r = Sys.command cmd in + if r <> 0 then + error (f_"GPG failure: could not trust the imported key\nUse the '-v' option and look for earlier error messages."); + ); !fingerprint let rec create ~verbose ~gpg ~gpgkey ~check_signature = -- 2.1.0