Make GPGKeyring a list of keyrings; drop PGPKeyring.

This allows for more than two keyrings to be used.

Make GPGKeyring a list of keyrings; drop PGPKeyring.
This allows for more than two keyrings to be used.
6c92853a · Anthony Towns · bf7e1ddf · 6c92853a · 6c92853a · 6c92853a
7 changed file
--- a/config/debian-non-US/dak.conf
+++ b/config/debian-non-US/dak.conf
 Dinstall
 {
-   PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
+   GPGKeyring {
-   GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+      "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+      "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
+   };
   SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg";
   SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg";
   SigningKeyIds "1DB114E0";

--- a/config/debian-security/dak.conf
+++ b/config/debian-security/dak.conf
 Dinstall
 {
-   PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
+   GPGKeyring {
-   GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+      "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+      "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
+   };
   SigningKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/secring.gpg";
   SigningPubKeyring "/org/non-us.debian.org/s3kr1t/dot-gnupg/pubring.gpg";
   SigningKeyIds "2D230C5F";

--- a/config/debian/dak.conf
+++ b/config/debian/dak.conf
 Dinstall
 {
-   PGPKeyring "/srv/keyring.debian.org/keyrings/debian-keyring.pgp";
+   GPGKeyrings {
-   GPGKeyring "/srv/keyring.debian.org/keyrings/debian-keyring.gpg";
+      "/srv/keyring.debian.org/keyrings/debian-keyring.gpg"; 
+      "/srv/keyring.debian.org/keyrings/debian-keyring.pgp";
+   };
   SigningKeyring "/srv/ftp.debian.org/s3kr1t/dot-gnupg/secring.gpg";
   SigningPubKeyring "/srv/ftp.debian.org/s3kr1t/dot-gnupg/pubring.gpg";
   SigningKeyIds "6070D3A1";

--- a/dak/import_archive.py
+++ b/dak/import_archive.py
@@ -98,8 +98,8 @@ def check_signature (filename):
        return None
    status_read, status_write = os.pipe()
-    cmd = "gpgv --status-fd %s --keyring %s --keyring %s %s" \
+    cmd = "gpgv --status-fd %s %s %s" \
-          % (status_write, Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"], filename)
+          % (status_write, daklib.utils.gpg_keyring_args(), filename)
    (output, status, exit_status) = daklib.utils.gpgv_get_status_output(cmd, status_read, status_write)
    # Process the status-fd output

--- a/dak/import_ldap_fingerprints.py
+++ b/dak/import_ldap_fingerprints.py
@@ -136,9 +136,8 @@ SELECT f.fingerprint, f.id, u.uid FROM fingerprint f, uid u WHERE f.uid = u.id
    q = projectB.query("SELECT fingerprint, id FROM fingerprint WHERE uid is null")
    for i in q.getresult():
        (fingerprint, fingerprint_id) = i
-        cmd = "gpg --no-default-keyring --keyring=%s --keyring=%s --fingerprint %s" \
+        cmd = "gpg --no-default-keyring %s --fingerprint %s" \
-              % (Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"],
+              % (gpg_keyring_args(), fingerprint)
-                 fingerprint)
        (result, output) = commands.getstatusoutput(cmd)
        if result == 0:
            m = re_gpg_fingerprint.search(output)
@@ -156,9 +155,8 @@ SELECT f.fingerprint, f.id, u.uid FROM fingerprint f, uid u WHERE f.uid = u.id
            extra_keyrings = ""
            for keyring in Cnf.ValueList("Import-LDAP-Fingerprints::ExtraKeyrings"):
                extra_keyrings += " --keyring=%s" % (keyring)
-            cmd = "gpg --keyring=%s --keyring=%s %s --list-key %s" \
+            cmd = "gpg %s %s --list-key %s" \
-                  % (Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"],
+                  % (gpg_keyring_args(), extra_keyrings, fingerprint)
-                     extra_keyrings, fingerprint)
            (result, output) = commands.getstatusoutput(cmd)
            if result != 0:
                cmd = "gpg --keyserver=%s --allow-non-selfsigned-uid --recv-key %s" % (Cnf["Import-LDAP-Fingerprints::KeyServer"], fingerprint)

--- a/daklib/utils.py
+++ b/daklib/utils.py
@@ -904,7 +904,7 @@ on error."""
    if not keyserver:
        keyserver = Cnf["Dinstall::KeyServer"]
    if not keyring:
-        keyring = Cnf["Dinstall::GPGKeyring"]
+        keyring = Cnf.ValueList("Dinstall::GPGKeyring")[0]
    # Ensure the filename contains no shell meta-characters or other badness
    if not re_taint_free.match(filename):
@@ -939,6 +939,14 @@ on error."""
 ################################################################################
+def gpg_keyring_args(keyrings=None)
+    if not keyrings:
+        keyrings = Cnf.ValueList("Dinstall::GPGKeyring")
+    return " ".join(["--keyring %s" % x for x in keyrings])
+################################################################################
 def check_signature (sig_filename, reject, data_filename="", keyrings=None, autofetch=None):
    """Check the signature of a file and return the fingerprint if the
 signature is valid or 'None' if it's not.  The first argument is the
@@ -963,7 +971,7 @@ used."""
        return None
    if not keyrings:
-        keyrings = (Cnf["Dinstall::PGPKeyring"], Cnf["Dinstall::GPGKeyring"])
+        keyrings = Cnf.ValueList("Dinstall::GPGKeyring")
    # Autofetch the signing key if that's enabled
    if autofetch == None:
@@ -976,10 +984,9 @@ used."""
    # Build the command line
    status_read, status_write = os.pipe(); 
-    cmd = "gpgv --status-fd %s" % (status_write)
+    cmd = "gpgv --status-fd %s %s %s %s" % (
-    for keyring in keyrings:
+        status_write, gpg_keyring_args(keyrings), sig_filename, data_filename)
-        cmd += " --keyring %s" % (keyring)
-    cmd += " %s %s" % (sig_filename, data_filename)
    # Invoke gpgv on the file
    (output, status, exit_status) = gpgv_get_status_output(cmd, status_read, status_write)

--- a/docs/README.config
+++ b/docs/README.config
@@ -200,8 +200,10 @@ Mandatory.  List of dinstall options, e.g.:
 | Dinstall
 | {
-|    PGPKeyring "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
+|    GPGKeyring {
-|    GPGKeyring "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+|       "/org/keyring.debian.org/keyrings/debian-keyring.gpg";
+|       "/org/keyring.debian.org/keyrings/debian-keyring.pgp";
+|    };
 |    SigningKeyring "/org/ftp.debian.org/s3kr1t/dot-gnupg/secring.gpg";
 |    SendmailCommand "/usr/sbin/sendmail -odq -oi -t";
 |    MyEmailAddress "Debian Installer <installer@ftp-master.debian.org>";
@@ -222,8 +224,8 @@ Mandatory.  List of dinstall options, e.g.:
 |    };
 | };
-PGPKeyring and GPGKeyring (required): filenames of the PGP and GnuPG
+GPGKeyring (required): filenames of the PGP and GnuPG
-keyrings to be used by dak respectively.
+keyrings to be used by dak.
 SigningKeyring (optional): this is the private keyring used by 'dak
 generate-releases'.