3 files changed, 35 insertions, 4 deletions
diff --git a/gemato/cli.py b/gemato/cli.py
index 7459841..b0f4dbe 100644
--- a/gemato/cli.py
+++ b/gemato/cli.py
@@ -1,6 +1,6 @@
 # gemato: CLI routines
 # vim:fileencoding=utf-8
-# (c) 2017 Michał Górny
+# (c) 2017-2018 Michał Górny
 # Licensed under the terms of 2-clause BSD license
 
 from __future__ import print_function
@@ -55,6 +55,12 @@ def do_verify(args, argp):
             if args.openpgp_key is not None:
                 with io.open(args.openpgp_key, 'rb') as f:
                     env.import_key(f)
+                # always refresh keys to check for revocation
+                # (unless user specifically asked us not to)
+                if args.refresh_keys:
+                    logging.info('Refreshing keys from keyserver...')
+                    env.refresh_keys()
+                    logging.info('Keys refreshed.')
             init_kwargs['openpgp_env'] = env
 
             start = timeit.default_timer()
@@ -70,6 +76,8 @@ def do_verify(args, argp):
                 logging.error('Top-level Manifest {} is not OpenPGP signed'.format(tlm))
                 return 1
 
+            logging.info('Verifying {}...'.format(p))
+
             relpath = os.path.relpath(p, os.path.dirname(tlm))
             if relpath == '.':
                 relpath = ''
@@ -86,7 +94,7 @@ def do_verify(args, argp):
                 return 1
 
             stop = timeit.default_timer()
-            logging.info('{} validated in {:.2f} seconds'.format(p, stop - start))
+            logging.info('{} verified in {:.2f} seconds'.format(p, stop - start))
     return 0 if ret else 1
 
 
@@ -163,6 +171,8 @@ def do_update(args, argp):
                     argp.error('Incremental specified but no timestamp in Manifest')
                 update_kwargs['last_mtime'] = last_ts.ts.timestamp()
 
+            logging.info('Updating Manifests in {}...'.format(p))
+
             try:
                 start_ts = datetime.datetime.utcnow()
                 m.update_entries_for_directory(relpath, **update_kwargs)
@@ -249,6 +259,8 @@ def do_create(args, argp):
             if m.hashes is None:
                 argp.error('--hashes must be specified if not implied by --profile')
 
+            logging.info('Creating Manifests in {}...'.format(p))
+
             try:
                 start_ts = datetime.datetime.utcnow()
                 m.update_entries_for_directory()
@@ -293,6 +305,10 @@ def main(argv):
     verify.add_argument('-P', '--no-openpgp-verify', action='store_false',
             dest='openpgp_verify',
             help='Disable OpenPGP verification of signed Manifests')
+    verify.add_argument('-R', '--no-refresh-keys', action='store_false',
+            dest='refresh_keys',
+            help='Disable refreshing OpenPGP key (prevents network access, applicable '
+                +'when using -K only)')
     verify.add_argument('-s', '--require-signed-manifest', action='store_true',
             help='Require that the top-level Manifest is OpenPGP signed')
     verify.set_defaults(func=do_verify)
diff --git a/gemato/openpgp.py b/gemato/openpgp.py
index b80ccbb..6fa500a 100644
--- a/gemato/openpgp.py
+++ b/gemato/openpgp.py
@@ -1,6 +1,6 @@
 # gemato: OpenPGP verification support
 # vim:fileencoding=utf-8
-# (c) 2017 Michał Górny
+# (c) 2017-2018 Michał Górny
 # Licensed under the terms of 2-clause BSD license
 
 import errno
@@ -41,6 +41,15 @@ class OpenPGPSystemEnvironment(object):
 
         raise NotImplementedError('import_key() is not implemented by this OpenPGP provider')
 
+    def refresh_keys(self):
+        """
+        Update the keys from their assigned keyservers. This should be called
+        at start of every execution in order to ensure that revocations
+        are respected. This action requires network access.
+        """
+
+        raise NotImplementedError('refresh_keys() is not implemented by this OpenPGP provider')
+
     def verify_file(self, f):
         """
         Perform an OpenPGP verification of Manifest data in open file @f.
@@ -156,6 +165,11 @@ disable-scdaemon
         if exitst != 0:
             raise RuntimeError('Unable to import key: {}'.format(err.decode('utf8')))
 
+    def refresh_keys(self):
+        exitst, out, err = self._spawn_gpg(['--refresh-keys'], '')
+        if exitst != 0:
+            raise RuntimeError('Unable to refresh keys: {}'.format(err.decode('utf8')))
+
     @property
     def home(self):
         if self._home is None:
diff --git a/tests/test_openpgp.py b/tests/test_openpgp.py
index 2241931..f42ad85 100644
--- a/tests/test_openpgp.py
+++ b/tests/test_openpgp.py
@@ -1,6 +1,6 @@
 # gemato: OpenPGP signature support tests
 # vim:fileencoding=utf-8
-# (c) 2017 Michał Górny
+# (c) 2017-2018 Michał Górny
 # Licensed under the terms of 2-clause BSD license
 
 import base64
@@ -436,6 +436,7 @@ class OpenPGPCorrectKeyTest(unittest.TestCase):
             self.assertEqual(
                     gemato.cli.main(['gemato', 'verify',
                         '--openpgp-key', os.path.join(d, '.key.asc'),
+                        '--no-refresh-keys',
                         '--require-signed-manifest', d]),
                     0)
         finally: