RubyGems - rubygems-openpgp - Versions diffs - 0.3.0 → 0.4.0 - Mend

rubygems-openpgp 0.3.0 → 0.4.0

Files changed (6) hide show

data/LICENSE +1 -1
data/lib/rubygems/gem_openpgp.rb +84 -17
data/lib/rubygems_plugin.rb +17 -1
data.tar.gz.asc +7 -7
metadata +15 -5
metadata.gz.asc +7 -7

data/LICENSE CHANGED Viewed

@@ -1,4 +1,4 @@
-Copyright (c) 2011, Grant T. Olson
+Copyright (c) 2011, 2013 Grant T. Olson
 All rights reserved.
 Redistribution and use in source and binary forms, with or without

data/lib/rubygems/gem_openpgp.rb CHANGED Viewed

@@ -4,6 +4,7 @@ require 'rubygems/user_interaction'
 require 'shellwords'
 require 'open3'
 require 'tempfile'
+require 'gpg_status_parser'
 # Exception for this class
 class Gem::OpenPGPException < RuntimeError; end
@@ -29,9 +30,51 @@ module Gem::OpenPGP
     homedir_flag = ""
     homedir_flag = "--homedir #{shellescape(homedir)}" if homedir
-    cmd = "gpg #{key_flag} #{homedir_flag} --detach-sign --armor"
-    sig, err = run_gpg_command cmd, data
-    sig
+    gpg_args = "#{key_flag} #{homedir_flag} --detach-sign --armor"
+    gpg_results = run_gpg(gpg_args, data)
+    did_gpg_error? gpg_results
+    gpg_results[:stdout]
+  end
+  # Extract the info we care about, throw away the rest
+  def self.verify_extract_status_info message, status_info
+      case message.status
+      when :GOODSIG, :BADSIG, :ERRSIG
+        status_info[:good_or_bad] = message.status
+        status_info[:uid] = (message.args[:username] || "").strip
+      when :SIG_ID
+      when :VALIDSIG, :EXPSIG, :BADSIG
+        status_info[:sig_status] = message.status
+        status_info[:primary_key] = "0x#{message.args[:primary_key_fpr][-9..-1]}"
+      when :TRUST_UNDEFINED, :TRUST_NEVER, :TRUST_MARGINAL, :TRUST_FULLY, :TRUST_ULTIMATE
+        status_info[:trust_status] = message.status
+      when :NO_PUBKEY
+        status_info[:failure] = "You don't have the public key.  Use --get-key to automagically retrieve from keyservers"
+      when :IMPORTED, :IMPORT_OK, :IMPORT_RES
+        #silently_ignore
+      when :KEYEXPIRED, :SIGEXPIRED
+        # recalculating trust db, ignore.
+      else
+        puts "unexpected message: #{message.status} #{message.args.inspect}"
+      end
+  end
+  # Print info about the sig, check that we like it, and possibly abort
+  def self.verify_check_sig status_info
+    sig_msg = "Signature for #{status_info[:file_name]} from user #{status_info[:uid]} key #{status_info[:primary_key]} is #{status_info[:good_or_bad]}, #{status_info[:sig_status]} and #{status_info[:trust_status]}"
+    if status_info[:trust_status] == :TRUST_NEVER
+      say add_color(sig_msg, :red)
+      raise Gem::OpenPGPException, "Never Trusted.  Won't install."
+    elsif status_info[:trust_status] == :TRUST_UNDEFINED
+      say add_color(sig_msg, :yellow)
+      if options[:trust] && !options[:no_trust]
+        raise Gem::OpenPGPException, "Trust Undefined and you've specified --trust.  Won't install."
+      end
+    else
+      say add_color(sig_msg , :green)
+    end
   end
   # Given a string containing data, and a string containing
@@ -39,7 +82,7 @@ module Gem::OpenPGP
   # then raise an exception.
   #
   # Optionally tell gpg to retrive the key if it's not provided
-  def self.verify data, sig, get_key=false, homedir=nil
+  def self.verify file_name, data, sig, get_key=false, homedir=nil
     is_gpg_available
     is_homedir_valid homedir if homedir
@@ -51,10 +94,22 @@ module Gem::OpenPGP
     homedir_flags = ""
     homedir_flags = "--homedir #{homedir}" if homedir
-    cmd = "gpg #{get_key_params} #{homedir_flags} --verify #{sig_file.path} #{data_file.path}"
-    res, err = run_gpg_command cmd
-    [err, res]
+    gpg_args = "#{get_key_params} #{homedir_flags} --verify #{sig_file.path} #{data_file.path}"
+    status_info = {:file_name => file_name}
+    gpg_results = run_gpg(gpg_args) { |message| verify_extract_status_info(message, status_info) }
+    if status_info[:failure]
+      say add_color(status_info[:failure], :red)
+      raise Gem::OpenPGPException, "Fail!"
+    else
+      verify_check_sig status_info
+    end
+    did_gpg_error? gpg_results
+    [gpg_results[:stderr], gpg_results[:status]]
   end
   # Signs an existing gemfile by iterating the tar'ed up contents,
@@ -128,7 +183,6 @@ module Gem::OpenPGP
     tar_files.keys.each do |file_name|
       next if file_name[-4..-1] == ".asc"
-      say "Verifying #{file_name}..."
       sig_file_name = file_name + ".asc"
       if !tar_files.has_key? sig_file_name
@@ -137,10 +191,8 @@ module Gem::OpenPGP
       end
       begin
-        err, res = Gem::OpenPGP.verify(tar_files[file_name], tar_files[sig_file_name], get_key, homedir)
+        err, res = Gem::OpenPGP.verify(file_name, tar_files[file_name], tar_files[sig_file_name], get_key, homedir)
-        say add_color(err, :green)
-        say add_color(res, :green)
       rescue Gem::OpenPGPException => ex
         color_code = "31"
         say add_color(ex.message, :red)
@@ -154,6 +206,14 @@ module Gem::OpenPGP
 private
+  def self.did_gpg_error? gpg_results
+    if gpg_results[:status] != 0
+      say add_color("gpg returned unexpected status code", :red)
+      say add_color(gpg_results[:stderr], :red)
+      raise Gem::OpenPGPException, "gpg returned unexpected error code #{gpg_results[:status]}"
+    end
+  end
   # Tests to see if gpg is installed and available.
   def self.is_gpg_available
     err_msg = "Unable to find a working gnupg installation.  Make sure gnupg is installed and you can call 'gpg --version' from a command prompt."
@@ -177,18 +237,24 @@ private
     end
   end
-  def self.run_gpg_command cmd, data=nil
+  def self.run_gpg args, data=nil, &block
     exit_status = nil
-    stdout, stderr = Open3.popen3(cmd) do |stdin, stdout, stderr, wait_thr|
+    status_file = Tempfile.new("status")
+    full_gpg_command = "gpg --status-file #{status_file.path} #{args}"
+    gpg_results = Open3.popen3(full_gpg_command) do |stdin, stdout, stderr, wait_thr|
       stdin.write data if data
       stdin.close
       exit_status = wait_thr.value
+      GPGStatusParser.parse(status_file, &block)
       out = stdout.read()
       err = stderr.read()
-      raise Gem::OpenPGPException, "#{err}" if exit_status != 0
-      [out,err]
+      {:status => exit_status, :stdout => out, :err => err}
     end
-    [stdout, stderr]
+    gpg_results
+  ensure
+    status_file.close
+    status_file.unlink
   end
   def self.create_tempfile data
@@ -203,6 +269,7 @@ private
     color_code = case color
                  when :green then "32"
                  when :red then "31"
+                 when :yellow then "33"
                  else raise RuntimeError, "Invalid color #{color.inspect}"
                  end

data/lib/rubygems_plugin.rb CHANGED Viewed

@@ -38,6 +38,21 @@ i.add_option("--verify",
   Gem::OpenPGP.options[:verify] = true
 end
+i.add_option("--no-verify",
+             "Don't verify a gem, even if --verify has previously been specified") do |value, options|
+  Gem::OpenPGP.options[:no_verify] = true
+end
+i = Gem::CommandManager.instance[:install]
+i.add_option("--trust",
+             'Enforce gnupg trust settings.  Only install if trusted.') do |value, options|
+  Gem::OpenPGP.options[:trust] = true
+end
+i.add_option("--no-trust",
+             "Ignoure gnupg trust settings,  even if --trust has previously been specified") do |value, options|
+  Gem::OpenPGP.options[:no_trust] = true
+end
 i.add_option('--get-key', "If the key is not available, download it from a keyserver") do |key, options|
   Gem::OpenPGP.options[:get_key] = true
@@ -45,7 +60,8 @@ end
 Gem.pre_install do |installer|
   begin
-    if Gem::OpenPGP.options[:verify]
+    # --no-verify overrides --verify
+    if Gem::OpenPGP.options[:verify] && !Gem::OpenPGP.options[:no_verify]
       Gem::OpenPGP.verify_gem(installer.gem,
                               Gem::OpenPGP.options[:get_key])
     end

data.tar.gz.asc CHANGED Viewed

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
-iQEcBAABCgAGBQJRF6UkAAoJEP5F5V2hilTWp4EH/Ah94Ny5XMyjejkTuTAZPZw8
-6jG5gQ0dl5l8c6VyXgLNwSDmCt0Rj5J1ZVvkz8LXj7xJpDyXu77Gk2FCDS30R7vH
-4C3LbUdIGv5FhMGQ2CiVgPNbi8CRsNmnFg15otY782Uvu8sMbspkrVi31wFvWCz7
-Ik9tHle42aNwg5sYhYWi4gIHiLfQ3l+g6C2YJ38R/hKdU9J3Vu9RWxk3aAsSsuTp
-aEDxGvTkX+N9vUEdDIvpkZ7iuhATxiP4TpZo3vFORe0iwo44XQaZJQPb4jMKmnJt
-b9Q7a1o/WpmcPrnGDaHvsjPj4P5dFzaktDaafBCo7GUsws7JhN1sKZX1F4GSVjc=
-=FURw
+iQEcBAABCgAGBQJRKNObAAoJEP5F5V2hilTWjFYH/RPGxYJA41R43Yrgqu56vtAU
+iPY/pg041S42UnObIIFgA76fMeixzfFCdBkvFFnlDuqmbSLxtiJt0Q/ql5c/hFzA
+S/rKibb1I9nlzOJ3p/GO78HzaD/M2Ja/jdrJtt+w7LVqSVtfDOyS+lPe3wxzf6SS
+7hgpycQv6GX3C5AEGY/nP0btkDxNtYMGGgcYz3WfrOEQFDIKS6IU4iZCj5c6Zw4n
+yD2pAvHWoqdkYy0y+eUsi83E1zCL9fHEK3R/I+c9Kc4TQF2OXFmGZdc7wbYwtdPb
+yDqlTNo8mbm+kxek1P4PobHJ7QADHRC7kOSBMOXVw80JALUThAt11Y+bHOHv3/Y=
+=58pK
 -----END PGP SIGNATURE-----

metadata CHANGED Viewed

@@ -2,7 +2,7 @@
 name: rubygems-openpgp
 version: !ruby/object:Gem::Version
   prerelease:
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Grant Olson
@@ -10,10 +10,20 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-02-10 00:00:00 Z
-dependencies: []
-description: Digitally sign gems via OpenPGP instead of OpenSSL
+date: 2013-02-23 00:00:00 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: gpg_status_parser
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.3.0
+  type: :runtime
+  version_requirements: *id001
+description: Digitally sign gems via OpenPGP.
 email: kgo@grant-olson.net
 executables: []

metadata.gz.asc CHANGED Viewed

@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
-iQEcBAABCgAGBQJRF6UqAAoJEP5F5V2hilTW4WgIAL4AJ1PPxZv+AuAwxBOFgIqR
-m8tM5N9bNM+KVwBplbIpl1cP/VJFN6onDeNlEY0YlCSR/EHuCOvtjCB8AFquAy72
-+zNxniM0d9zcEL0JRx2SLl44EBQOaFAYZ6VgLbkox9OuwUjSeEfdo66gfMtgdkHN
-+Tl5XKjnu5cnszfBXqfHKLdSjhAYbk0TeGRicffFDLMn7jzwwmOd9uLMmG3CrPg0
-mZiZpYWoazFPDnQ+KKj12ojcUCjFc/D8Xy77e2G2PP8kVOKb79Gn6Fd+npJuXL1X
-/8Uzkrpwc3EGCpMzT0/q4EyHc35CkaFtdbAhd4n33Rob4j+yIhi0j72tttfv1Jk=
-=VFwb
+iQEcBAABCgAGBQJRKNOhAAoJEP5F5V2hilTWcBgIAIob5FD4SK6UxfnXQk0U+5nP
+huK6hsanhLbH3m3fqz2BkB/WBVonF0sqO2zNIw+qxnIl/r426iXmxTfNYF3F+0Ri
+mP7YF+HBNfuElraRBBKUXSCQoB0yxqLpx3mcDwjB//0Q9CWXdeCLzefbs7+4ca4q
+rBezyxSxRXun2qBMBs7FSZYkC6rsP58EgTi555WfxymiqEZ9fEi1r4rEM37F+z2w
+FBMlYjTJhATOIhHTi8nFQoGgjFcQG9a7cgABHGZwB9IR6k5O6IeTHVXCQvOlg4au
+cj6HKS8YKpJGZPlPIJVpLmW9UhUQukg4AwTpPAHIeIiwZYahitQtm0Ra5MnSJtc=
+=bh2W
 -----END PGP SIGNATURE-----