gpg: verify signature after signing

2016-04-23 22:41:43 +03:00
parent 76ce25fab1
commit 6f4f33bfa5
2 changed files with 20 additions and 14 deletions
--- a/trezor_agent/gpg/check.py
+++ b/trezor_agent/gpg/check.py
@@ -17,7 +17,7 @@ def original_data(filename):
        return open(parts[0], 'rb').read()


-def check(pubkey, sig_file):
+def verify(pubkey, sig_file):
    d = open(sig_file, 'rb')
    if d.name.endswith('.asc'):
        lines = d.readlines()[3:-1]
@@ -29,6 +29,7 @@ def check(pubkey, sig_file):
    signature, = list(parser)
    decode.verify_digest(pubkey=pubkey, digest=signature['digest'],
                         signature=signature['sig'], label='GPG signature')
+    log.info('%s OK', sig_file)


 def main():
@@ -38,9 +39,8 @@ def main():
    p.add_argument('pubkey')
    p.add_argument('signature')
    args = p.parse_args()
-    check(pubkey=decode.load_public_key(open(args.pubkey, 'rb')),
+    verify(pubkey=decode.load_public_key(open(args.pubkey, 'rb')),
          sig_file=args.signature)
-    log.info('OK')

 if __name__ == '__main__':
    main()
--- a/trezor_agent/gpg/signer.py
+++ b/trezor_agent/gpg/signer.py
@@ -9,9 +9,8 @@ import struct
 import subprocess
 import time

-from . import decode
-from .. import client, factory, formats
-from .. import util
+from . import decode, check
+from .. import client, factory, formats, util

 log = logging.getLogger(__name__)

@@ -125,6 +124,15 @@ class Signer(object):
        log.info('%s GPG public key %s created at %s', self.curve_name,
                 self.hex_short_key_id(), time_format(self.created))

+    @classmethod
+    def from_public_key(cls, pubkey, user_id):
+        s = Signer(user_id=user_id,
+                   created=pubkey['created'],
+                   curve_name=find_curve_by_algo_id(pubkey['algo']))
+        assert s.key_id() == pubkey['key_id']
+        return s
+
+
    def _pubkey_data(self):
        curve_info = SUPPORTED_CURVES[self.curve_name]
        header = struct.pack('>BLB',
@@ -237,12 +245,7 @@ def armor(blob, type_str):
 def load_from_gpg(user_id):
    log.info('loading public key %r from local GPG keyring', user_id)
    pubkey_bytes = subprocess.check_output(['gpg2', '--export', user_id])
-    pubkey = decode.load_public_key(io.BytesIO(pubkey_bytes))
-    s = Signer(user_id=user_id,
-               created=pubkey['created'],
-               curve_name=find_curve_by_algo_id(pubkey['algo']))
-    assert s.key_id() == pubkey['key_id']
-    return s
+    return decode.load_public_key(io.BytesIO(pubkey_bytes))


 def main():
@@ -270,13 +273,16 @@ def main():
        open(filename, 'wb').write(pubkey)
        log.info('import to local keyring using "gpg2 --import %s"', filename)
    else:
-        s = load_from_gpg(user_id)
+        pubkey = load_from_gpg(user_id)
+        s = Signer.from_public_key(pubkey=pubkey, user_id=user_id)
        data = open(args.filename, 'rb').read()
        sig, ext = s.sign(data), '.sig'
        if args.armor:
            sig = armor(sig, 'SIGNATURE')
            ext = '.asc'
-        open(args.filename + ext, 'wb').write(sig)
+        filename = args.filename + ext
+        open(filename, 'wb').write(sig)
+        check.verify(pubkey=pubkey, sig_file=filename)

    s.close()