[weboob] [PATCH 1/1] Use gpg2 rather than gpgv2 for signature verification

Mickaël Thomas mickael9 at gmail.com
Sat Dec 26 23:19:25 CET 2015


Current gpgv2 has a bug where the gpgv2 command does not work

A patch has already been sent upstream :
https://lists.gnupg.org/pipermail/gnupg-devel/2015-December/030623.html

Using gpg2 --verify instead of gpgv2 fixes the issue

Signed-off-by: Mickaël Thomas <mickael9 at gmail.com>
---
 weboob/core/repositories.py | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/weboob/core/repositories.py b/weboob/core/repositories.py
index 5afde3e..1e6830f 100644
--- a/weboob/core/repositories.py
+++ b/weboob/core/repositories.py
@@ -578,7 +578,7 @@ class Repositories(object):
         for name in os.listdir(self.repos_dir):
             os.remove(os.path.join(self.repos_dir, name))
 
-        gpgv = Keyring.find_gpgv()
+        gpg = Keyring.find_gpg()
         for line in self._parse_source_list():
             progress.progress(0.0, 'Getting %s' % line)
             repository = Repository(line)
@@ -588,10 +588,10 @@ class Repositories(object):
             keyring_path = os.path.join(self.keyrings_dir, filename)
             try:
                 repository.retrieve_index(self.browser, repo_path)
-                if gpgv:
+                if gpg:
                     repository.retrieve_keyring(self.browser, keyring_path, progress)
                 else:
-                    progress.error('Cannot find gpgv to check for repository authenticity.\n'
+                    progress.error('Cannot find gpg to check for repository authenticity.\n'
                                     'You should install GPG for better security.')
             except RepositoryUnavailable as e:
                 progress.error('Unable to load repository: %s' % e)
@@ -688,7 +688,7 @@ class Repositories(object):
             raise ModuleInstallError('Unable to fetch module: %s' % e)
 
         # Check signature
-        if module.signed and Keyring.find_gpgv():
+        if module.signed and Keyring.find_gpg():
             progress.progress(0.5, 'Checking module authenticity...')
             sig_data = self.browser.open(posixpath.join(module.url + '.sig')).content
             keyring_path = os.path.join(self.keyrings_dir, self.url2filename(module.repo_url))
@@ -768,12 +768,12 @@ class Keyring(object):
             fp.write(str(version))
 
     @staticmethod
-    def find_gpgv():
-        if os.getenv('GPGV_EXECUTABLE'):
-            return os.getenv('GPGV_EXECUTABLE')
+    def find_gpg():
+        if os.getenv('GPG_EXECUTABLE'):
+            return os.getenv('GPG_EXECUTABLE')
         paths = os.getenv('PATH', os.defpath).split(os.pathsep)
         for path in paths:
-            for ex in ('gpgv2', 'gpgv', 'gpgv2.exe', 'gpgv.exe'):
+            for ex in ('gpg2', 'gpg', 'gpg2.exe', 'gpg.exe'):
                 fpath = os.path.join(path, ex)
                 if os.path.exists(fpath) and os.access(fpath, os.X_OK):
                     return fpath
@@ -783,7 +783,7 @@ class Keyring(object):
         Check if the data is signed by an accepted key.
         data and sigdata should be strings.
         """
-        gpgv = self.find_gpgv()
+        gpg = self.find_gpg()
         from tempfile import NamedTemporaryFile
         with NamedTemporaryFile(suffix='.sig', delete=False) as sigfile:
             temp_filename = sigfile.name
@@ -795,7 +795,8 @@ class Keyring(object):
                 sigfile.flush()  # very important
                 assert isinstance(data, basestring)
                 # Yes, all of it is necessary
-                proc = subprocess.Popen([gpgv,
+                proc = subprocess.Popen([gpg,
+                        '--verify',
                         '--status-fd', '1',
                         '--keyring', os.path.realpath(self.path),
                         os.path.realpath(sigfile.name),
-- 
2.6.4




More information about the weboob mailing list