Google Git
Sign in
gerrit / git-repo / 19a1f22cd0a06eeb1cdea8e81ce7871bd5d6d6a2^! / .
commit19a1f22cd0a06eeb1cdea8e81ce7871bd5d6d6a2[log] [tgz]
authorMike Frysinger <vapier@google.com>Fri Feb 14 16:28:13 2020 -0500
committerMike Frysinger <vapier@google.com>Sat Feb 15 03:55:45 2020 +0000
tree1c4ba8a749c017bd28ada2821defe8cd4b1128f4
parent076512aafaa96563cfb1ca1d43bbd515091d0e5e [diff]
repo: rework gpg import for Windows

Some versions of gpg on Windows mishandle native paths with homedir.
It manifests itself like:

gpg: keybox 'C:\Users\.../.repoconfig\gnupg/pubring.kbx' created
gpg: C:\Users\.../.repoconfig\gnupg/trustdb.gpg: trustdb created
gpg: key 16530D5E920F5C65: public key "Repo Maintainer <repo@android.kernel.org>" imported
gpg: can't connect to the agent: Invalid value passed to IPC
gpg: Total number processed: 1
gpg:               imported: 1
fatal: registering repo maintainer keys failed

It seems gpg (at least version 2.2.17) needs paths to be specified
in cygwin form (e.g. "/c/Users/.../.repoconfig/gnupg") otherwise
it fails to talk to its own processes.  We can work around this
with a minor trick: we cd to the right path and then invoke gpg
with --homedir . and let gpg itself resolve . to whatever form it
really wants.

This is a bit hacky, but we don't control gpg, and this allows us
to avoid having to muck with the environment.  Since --homedir has
been around since at least gpg-1.4.x from 2004, backwards compat
shouldn't be an issue.

While we're here, touch up the output a bit: there's no need to
dump all the chatty gpg output if things don't fail, so always
swallow the output.  If things do fail, our exception handler
takes care of dumping the full stdout & stderr.

Change-Id: I74ab98e1e61e95318fda6faf57c6a8699f775935
Reviewed-on: https://gerrit-review.googlesource.com/c/git-repo/+/255120
Reviewed-by: David Pursehouse <dpursehouse@collab.net>
Tested-by: Mike Frysinger <vapier@google.com>

diff --git a/repo b/repo
index 5674be8..30bce52 100755
--- a/repo
+++ b/repo

@@ -650,13 +650,19 @@
             file=sys.stderr)
       sys.exit(1)
 
-  env = os.environ.copy()
-  _setenv('GNUPGHOME', gpg_dir, env)
-
-  cmd = ['gpg', '--import']
+  if not quiet:
+    print('repo: Updating release signing keys to keyset ver %s' %
+          ('.'.join(str(x) for x in KEYRING_VERSION),))
+  # NB: We use --homedir (and cwd below) because some environments (Windows) do
+  # not correctly handle full native paths.  We avoid the issue by changing to
+  # the right dir with cwd=gpg_dir before executing gpg, and then telling gpg to
+  # use the cwd (.) as its homedir which leaves the path resolution logic to it.
+  cmd = ['gpg', '--homedir', '.', '--import']
   try:
-    run_command(cmd, env=env, stdin=subprocess.PIPE,
-                capture_output=quiet,
+    # gpg can be pretty chatty.  Always capture the output and if something goes
+    # wrong, the builtin check failure will dump stdout & stderr for debugging.
+    run_command(cmd, stdin=subprocess.PIPE, capture_output=True,
+                cwd=gpg_dir, check=True,
                 input=MAINTAINER_KEYS.encode('utf-8'))
   except OSError:
     if not quiet:
@@ -665,9 +671,6 @@
       print(file=sys.stderr)
     return False
 
-  if not quiet:
-    print()
-
   with open(os.path.join(home_dot_repo, 'keyring-version'), 'w') as fd:
     fd.write('.'.join(map(str, KEYRING_VERSION)) + '\n')
   return True