1 files changed, 27 insertions, 1 deletions

diff --git a/gemato/cli.py b/gemato/cli.py
index 83bded4..08765b6 100644
--- a/gemato/cli.py
+++ b/gemato/cli.py
@@ -6,6 +6,7 @@
 from __future__ import print_function
 
 import argparse
+import io
 import logging
 import timeit
 
@@ -30,14 +31,32 @@ def do_verify(args):
             logging.error('Top-level Manifest not found in {}'.format(p))
             return 1
 
+        init_kwargs = {}
         kwargs = {}
         if args.keep_going:
             kwargs['fail_handler'] = verify_failure
         if not args.strict:
             kwargs['warn_handler'] = verify_warning
+        if not args.openpgp_verify:
+            init_kwargs['verify_openpgp'] = False
+        if args.openpgp_key is not None:
+            env = gemato.openpgp.OpenPGPEnvironment()
+            with io.open(args.openpgp_key, 'rb') as f:
+                env.import_key(f)
+            init_kwargs['openpgp_env'] = env
 
         start = timeit.default_timer()
-        m = gemato.recursiveloader.ManifestRecursiveLoader(tlm)
+        try:
+            m = gemato.recursiveloader.ManifestRecursiveLoader(tlm, **init_kwargs)
+        except gemato.exceptions.OpenPGPNoImplementation as e:
+            logging.error(str(e))
+            return 1
+        except gemato.exceptions.OpenPGPVerificationFailure as e:
+            logging.error(str(e))
+            return 1
+        if args.require_signed_manifest and not m.openpgp_signed:
+            logging.error('Top-level Manifest {} is not OpenPGP signed'.format(tlm))
+            return 1
         try:
             ret = m.assert_directory_verifies(**kwargs)
         except gemato.exceptions.ManifestMismatch as e:
@@ -60,6 +79,13 @@ def main(argv):
             help='Paths to verify (defaults to "." if none specified)')
     verify.add_argument('-k', '--keep-going', action='store_true',
             help='Continue reporting errors rather than terminating on the first failure')
+    verify.add_argument('-K', '--openpgp-key',
+            help='Use only the OpenPGP key(s) from a specific file')
+    verify.add_argument('-P', '--no-openpgp-verify', action='store_false',
+            dest='openpgp_verify',
+            help='Disable OpenPGP verification of signed Manifests')
+    verify.add_argument('-s', '--require-signed-manifest', action='store_true',
+            help='Require that the top-level Manifest is OpenPGP signed')
     verify.add_argument('-S', '--no-strict', action='store_false',
             dest='strict',
             help='Do not fail on non-strict Manifest issues (MISC/OPTIONAL entries)')