| #!/usr/bin/env python |
| # |
| # |
| # Licensed to the Apache Software Foundation (ASF) under one |
| # or more contributor license agreements. See the NOTICE file |
| # distributed with this work for additional information |
| # regarding copyright ownership. The ASF licenses this file |
| # to you under the Apache License, Version 2.0 (the |
| # "License"); you may not use this file except in compliance |
| # with the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, |
| # software distributed under the License is distributed on an |
| # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| # KIND, either express or implied. See the License for the |
| # specific language governing permissions and limitations |
| # under the License. |
| # |
| # |
| |
| # Less terrible, ugly hack of a script than getsigs.pl, but similar. Used to |
| # verify the signatures on the release tarballs and produce the list of who |
| # signed them in the format we use for the announcements. |
| # |
| # To use just run it in the directory with the signatures and tarballs and |
| # pass the version of subversion you want to check. It assumes gpg is on |
| # your path, if it isn't you should fix that. :D |
| # |
| # Script will die if any gpg process returns an error. |
| # |
| # Because I hate perl... |
| |
| import glob, subprocess, shutil, sys, re |
| |
| key_start = '-----BEGIN PGP SIGNATURE-----\n' |
| sig_pattern = re.compile(r'^gpg: Signature made .*? using \w+ key ID (\w+)') |
| fp_pattern = re.compile(r'^pub\s+(\w+\/\w+)[^\n]*\n\s+Key\sfingerprint\s=((\s+[0-9A-F]{4}){10})\nuid\s+([^<\(]+)\s') |
| |
| |
| def grab_sig_ids(): |
| good_sigs = {} |
| |
| for filename in glob.glob('subversion-*.asc'): |
| shutil.copyfile(filename, '%s.bak' % filename) |
| text = open(filename).read() |
| keys = text.split(key_start) |
| |
| for key in keys[1:]: |
| open(filename, 'w').write(key_start + key) |
| gpg = subprocess.Popen(['gpg', '--logger-fd', '1', |
| '--verify', filename], |
| stdout=subprocess.PIPE, |
| stderr=subprocess.STDOUT) |
| |
| rc = gpg.wait() |
| output = gpg.stdout.read() |
| if rc: |
| # gpg choked, die with an error |
| print(output) |
| sys.stderr.write("BAD SIGNATURE in %s\n" % filename) |
| shutil.move('%s.bak' % filename, filename) |
| sys.exit(1) |
| |
| for line in output.split('\n'): |
| match = sig_pattern.match(line) |
| if match: |
| key_id = match.groups()[0] |
| good_sigs[key_id] = True |
| |
| shutil.move('%s.bak' % filename, filename) |
| |
| return good_sigs |
| |
| |
| def generate_output(good_sigs): |
| for id in good_sigs.keys(): |
| gpg = subprocess.Popen(['gpg', '--fingerprint', id], |
| stdout=subprocess.PIPE, stderr=subprocess.STDOUT) |
| rc = gpg.wait() |
| gpg_output = gpg.stdout.read() |
| if rc: |
| print(gpg_output) |
| sys.stderr.write("UNABLE TO GET FINGERPRINT FOR %s" % id) |
| sys.exit(1) |
| |
| gpg_output = "\n".join([ l for l in gpg_output.splitlines() |
| if l[0:7] != 'Warning' ]) |
| |
| fp = fp_pattern.match(gpg_output).groups() |
| print(" %s [%s] with fingerprint:" % (fp[3], fp[0])) |
| print(" %s" % fp[1]) |
| |
| |
| if __name__ == '__main__': |
| if len(sys.argv) < 2: |
| print("Give me a version number!") |
| sys.exit(1) |
| |
| generate_output(grab_sig_ids()) |
