Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / f97c9688d5a5e99e2ccd1967faf619e884a3172b^! / . / tools / secretstore.py
commitf97c9688d5a5e99e2ccd1967faf619e884a3172b[log] [tgz]
authorSerge Bazanski <q3k@hackerspace.pl>Sun Jun 06 12:53:11 2021 +0000
committerSerge Bazanski <q3k@hackerspace.pl>Sat Jul 10 16:53:59 2021 +0000
treef65c4d33c79e71aea86df19c644209bb7efe0472
parent4e534cc03cf75df2a6d20431e15da4c5603ef374 [diff] [blame]
tools/secretstore: fix gpg encryption for expired key

We also set --trust-model=always, as we explicitly ship GPG
fingerprints, so there's no need to rely on GPG's web of trust
shenanigans.

Change-Id: If2976130315c044f1d1727c61a6f6d489c876a52

diff --git a/tools/secretstore.py b/tools/secretstore.py
index b0d2cfe..767a0fc 100644
--- a/tools/secretstore.py
+++ b/tools/secretstore.py

@@ -49,6 +49,10 @@
     "0879F9FCA1C836677BB808C870FD60197E195C26", # implr
 ]
 
+# Currently, Patryk's GPG key is expired. This hacks around that by pretending
+# it's January 2021.
+# TODO(q3k/patryk): remove this once Patryk updates his key.
+systime = '20210101T000000'
 
 _logger_name = __name__
 if _logger_name == '__main__':
@@ -61,7 +65,15 @@
 
 
 def encrypt(src, dst):
-    cmd = ['gpg' , '--encrypt', '--armor', '--batch', '--yes', '--output', dst]
+    cmd = [
+        'gpg' , 
+        '--encrypt',
+        '--faked-system-time', systime,
+        '--trust-model', 'always',
+        '--armor',
+        '--batch', '--yes',
+        '--output', dst,
+    ]
     for k in keys:
         cmd.append('--recipient')
         cmd.append(k)
@@ -80,7 +92,7 @@
     Returns the encryption key ID for a given GPG fingerprint (eg. one from the
     'keys' list.
     """
-    cmd = ['gpg', '-k', '--keyid-format', 'long', fp]
+    cmd = ['gpg', '-k', '--faked-system-time', systime, '--keyid-format', 'long', fp]
     res = subprocess.check_output(cmd).decode()
 
     # Sample output: