summaryrefslogtreecommitdiffstats
path: root/wiki
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2019-04-08 10:24:13 +0000
committerintrigeri <intrigeri@boum.org>2019-04-08 10:28:07 +0000
commit40aa8198b5c6a64619cf740eab9182fbfd71f7ff (patch)
tree1c101fb1854148a548121bcf5f83b8bb206f4e2f /wiki
parenta494cecd6d3182c4d7287262d91bd14061d73a3e (diff)
Release process: generate the expected OpenPGP signature verification output in a more deterministic way (refs: #16585)
Using --trusted-key avoids this warning: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. … and makes our signing key trusted at the "ultimate" level. So let's also s/ultimate/full/ to stick closer to what users should get once they verify our key via the WoT and certify it locally.
Diffstat (limited to 'wiki')
-rw-r--r--wiki/src/contribute/release_process.mdwn7
1 files changed, 5 insertions, 2 deletions
diff --git a/wiki/src/contribute/release_process.mdwn b/wiki/src/contribute/release_process.mdwn
index 158b6f4..eec4086 100644
--- a/wiki/src/contribute/release_process.mdwn
+++ b/wiki/src/contribute/release_process.mdwn
@@ -95,6 +95,7 @@ Also export the following environment variables:
* `RELEASE_CHECKOUT`: a checkout of the branch of the main Tails Git
repository used to prepare the release (`stable` or `testing`).
* `TAILS_SIGNATURE_KEY=A490D0F4D311A4153E2BB7CADBB802B258ACD84F`
+* `TAILS_SIGNATURE_KEY_LONG_ID=$(echo "${TAILS_SIGNATURE_KEY:?}"perl -nE 'say substr($_, -17)')`
* `IUK_CHECKOUT`: a checkout of the relevant tag of the `iuk`
Git repository.
* `PERL5LIB_CHECKOUT`: a checkout of the relevant tag of the
@@ -1196,10 +1197,12 @@ Rename, copy, garbage collect and update various files:
cut -f 5 -d ' ' | sed -r 's/(.+)([MG])/\1 \2B/' \
> "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_img_size.html" && \
gpg --check-trustdb && \
- LANG=C TZ=UTC gpg --no-options --keyid-format long --verify "${ISO_PATH:?}.sig" "${ISO_PATH:?}" 2>&1 | \
+ LANG=C TZ=UTC gpg --no-options --keyid-format long --trusted-key "${TAILS_SIGNATURE_KEY_LONG_ID:?}" --verify "${ISO_PATH:?}.sig" "${ISO_PATH:?}" 2>&1 | \
+ perl -pE 's/\[ultimate\]$/[full]/' | \
sed 's/ /\&nbsp;/g;s/</\&lt;/;s/>/\&gt;/;s/$/<br\/>/g' > \
"${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_iso_gpg_signature_output.html" && \
- LANG=C TZ=UTC gpg --no-options --keyid-format long --verify "${IMG_PATH:?}.sig" "${IMG_PATH:?}" 2>&1 | \
+ LANG=C TZ=UTC gpg --no-options --keyid-format long --trusted-key "${TAILS_SIGNATURE_KEY_LONG_ID:?}" --verify "${IMG_PATH:?}.sig" "${IMG_PATH:?}" 2>&1 | \
+ perl -pE 's/\[ultimate\]$/[full]/' | \
sed 's/ /\&nbsp;/g;s/</\&lt;/;s/>/\&gt;/;s/$/<br\/>/g' > \
"${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_img_gpg_signature_output.html"