diff options
| author | Michał Górny <mgorny@gentoo.org> | 2017-10-27 05:57:17 +0200 |
|---|---|---|
| committer | Michał Górny <mgorny@gentoo.org> | 2017-10-27 05:57:17 +0200 |
| commit | 40bb1a8b0d14e7133053c5ec92e512204747c6f7 (patch) | |
| tree | d2484509a90493f353a66cc8560852cfdf36d515 | |
| parent | 6ed742617a81ac4cbe9f21d3a246480f2b7fa277 (diff) | |
| download | gemato-40bb1a8b0d14e7133053c5ec92e512204747c6f7.tar.gz | |
cli: Support controlling OpenPGP behavior
| -rw-r--r-- | gemato/cli.py | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/gemato/cli.py b/gemato/cli.py index 83bded4..08765b6 100644 --- a/gemato/cli.py +++ b/gemato/cli.py @@ -6,6 +6,7 @@ from __future__ import print_function import argparse +import io import logging import timeit @@ -30,14 +31,32 @@ def do_verify(args): logging.error('Top-level Manifest not found in {}'.format(p)) return 1 + init_kwargs = {} kwargs = {} if args.keep_going: kwargs['fail_handler'] = verify_failure if not args.strict: kwargs['warn_handler'] = verify_warning + if not args.openpgp_verify: + init_kwargs['verify_openpgp'] = False + if args.openpgp_key is not None: + env = gemato.openpgp.OpenPGPEnvironment() + with io.open(args.openpgp_key, 'rb') as f: + env.import_key(f) + init_kwargs['openpgp_env'] = env start = timeit.default_timer() - m = gemato.recursiveloader.ManifestRecursiveLoader(tlm) + try: + m = gemato.recursiveloader.ManifestRecursiveLoader(tlm, **init_kwargs) + except gemato.exceptions.OpenPGPNoImplementation as e: + logging.error(str(e)) + return 1 + except gemato.exceptions.OpenPGPVerificationFailure as e: + logging.error(str(e)) + return 1 + if args.require_signed_manifest and not m.openpgp_signed: + logging.error('Top-level Manifest {} is not OpenPGP signed'.format(tlm)) + return 1 try: ret = m.assert_directory_verifies(**kwargs) except gemato.exceptions.ManifestMismatch as e: @@ -60,6 +79,13 @@ def main(argv): help='Paths to verify (defaults to "." if none specified)') verify.add_argument('-k', '--keep-going', action='store_true', help='Continue reporting errors rather than terminating on the first failure') + verify.add_argument('-K', '--openpgp-key', + help='Use only the OpenPGP key(s) from a specific file') + verify.add_argument('-P', '--no-openpgp-verify', action='store_false', + dest='openpgp_verify', + help='Disable OpenPGP verification of signed Manifests') + verify.add_argument('-s', '--require-signed-manifest', action='store_true', + help='Require that the top-level Manifest is OpenPGP signed') verify.add_argument('-S', '--no-strict', action='store_false', dest='strict', help='Do not fail on non-strict Manifest issues (MISC/OPTIONAL entries)') |