tools/dist/getsigs.py - subversion - Git at Google

 #!/usr/bin/env python

 # Less terrible, ugly hack of a script than getsigs.pl, but similar.  Used to
 # verify the signatures on the release tarballs and produce the list of who
 # signed them in the format we use for the announcements.
 #
 # To use just run it in the directory with the signatures and tarballs and
 # pass the version of subversion you want to check.  It assumes gpg is on
 # your path, if it isn't you should fix that. :D
 #
 # Script will die if any gpg process returns an error.
 #
 # Because I hate perl...

 import glob, subprocess, shutil, sys, re

 key_start = '-----BEGIN PGP SIGNATURE-----\n'
 sig_pattern = re.compile(r'^gpg: Signature made .*? using \w+ key ID (\w+)')
 fp_pattern = re.compile(r'^pub\s+(\w+\/\w+)[^\n]*\n\s+Key\sfingerprint\s=((\s+[0-9A-F]{4}){10})\nuid\s+([^<\(]+)\s')


 def grab_sig_ids():
     good_sigs = {}

     for filename in glob.glob('subversion-*.asc'):
         shutil.copyfile(filename, '%s.bak' % filename)
         text = open(filename).read()
         keys = text.split(key_start)

         for key in keys[1:]:
             open(filename, 'w').write(key_start + key)
             gpg = subprocess.Popen(['gpg', '--logger-fd', '1',
                                     '--verify', filename],
                                    stdout=subprocess.PIPE,
                                    stderr=subprocess.STDOUT)

             rc = gpg.wait()
             output = gpg.stdout.read()
             if rc:
                 # gpg choked, die with an error
                 print(output)
                 sys.stderr.write("BAD SIGNATURE in %s\n" % filename)
                 shutil.move('%s.bak' % filename, filename)
                 sys.exit(1)

             for line in output.split('\n'):
                 match = sig_pattern.match(line)
                 if match:
                     key_id = match.groups()[0]
                     good_sigs[key_id] = True

         shutil.move('%s.bak' % filename, filename)

     return good_sigs


 def generate_output(good_sigs):
     for id in good_sigs.keys():
         gpg = subprocess.Popen(['gpg', '--fingerprint', id],
                                stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
         rc = gpg.wait()
         gpg_output = gpg.stdout.read()
         if rc:
             print(gpg_output)
             sys.stderr.write("UNABLE TO GET FINGERPRINT FOR %s" % id)
             sys.exit(1)

         fp = fp_pattern.match(gpg_output).groups()
         print("   %s [%s] with fingerprint:" % (fp[3], fp[0]))
         print("   %s" % fp[1])


 if __name__ == '__main__':
     if len(sys.argv) < 2:
         print("Give me a version number!")
         sys.exit(1)

     generate_output(grab_sig_ids())
	#!/usr/bin/env python

	# Less terrible, ugly hack of a script than getsigs.pl, but similar. Used to
	# verify the signatures on the release tarballs and produce the list of who
	# signed them in the format we use for the announcements.
	#
	# To use just run it in the directory with the signatures and tarballs and
	# pass the version of subversion you want to check. It assumes gpg is on
	# your path, if it isn't you should fix that. :D
	#
	# Script will die if any gpg process returns an error.
	#
	# Because I hate perl...

	import glob, subprocess, shutil, sys, re

	key_start = '-----BEGIN PGP SIGNATURE-----\n'
	sig_pattern = re.compile(r'^gpg: Signature made .*? using \w+ key ID (\w+)')
	fp_pattern = re.compile(r'^pub\s+(\w+\/\w+)[^\n]*\n\s+Key\sfingerprint\s=((\s+[0-9A-F]{4}){10})\nuid\s+([^<\(]+)\s')


	def grab_sig_ids():
	good_sigs = {}

	for filename in glob.glob('subversion-*.asc'):
	shutil.copyfile(filename, '%s.bak' % filename)
	text = open(filename).read()
	keys = text.split(key_start)

	for key in keys[1:]:
	open(filename, 'w').write(key_start + key)
	gpg = subprocess.Popen(['gpg', '--logger-fd', '1',
	'--verify', filename],
	stdout=subprocess.PIPE,
	stderr=subprocess.STDOUT)

	rc = gpg.wait()
	output = gpg.stdout.read()
	if rc:
	# gpg choked, die with an error
	print(output)
	sys.stderr.write("BAD SIGNATURE in %s\n" % filename)
	shutil.move('%s.bak' % filename, filename)
	sys.exit(1)

	for line in output.split('\n'):
	match = sig_pattern.match(line)
	if match:
	key_id = match.groups()[0]
	good_sigs[key_id] = True

	shutil.move('%s.bak' % filename, filename)

	return good_sigs


	def generate_output(good_sigs):
	for id in good_sigs.keys():
	gpg = subprocess.Popen(['gpg', '--fingerprint', id],
	stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
	rc = gpg.wait()
	gpg_output = gpg.stdout.read()
	if rc:
	print(gpg_output)
	sys.stderr.write("UNABLE TO GET FINGERPRINT FOR %s" % id)
	sys.exit(1)

	fp = fp_pattern.match(gpg_output).groups()
	print(" %s [%s] with fingerprint:" % (fp[3], fp[0]))
	print(" %s" % fp[1])


	if __name__ == '__main__':
	if len(sys.argv) < 2:
	print("Give me a version number!")
	sys.exit(1)

	generate_output(grab_sig_ids())