Download public keys by fingerprint in travis

The uid and fingerprint are more legible than the full key, which should
make future changes easier to review.

The keys are used by Travis only to validate that a git tag was signed
with a recognised key. The results of the build are signed separately.

You can confirm the fingerprints in .travis.yml match the ones in
the by running this on the old packaging/gpg.keys:

  gpg --import-options show-only --import packaging/gpg.keys

Author: philwhineray

.travis.yml

@@ -23,10 +23,13 @@ before_install:
  # Decrypt our private files for CI use only
  - eval "$(ssh-agent -s)"
  - ./.travis/decrypt-if-have-key df4daddc19fe
+ - export KEYSERVER=pool.sks-keyservers.net
 #
 # Run
 before_script:
- - gpg --import packaging/gpg.keys
+ # Download keys - builds of tags check for a recognised signature
+ - ./packaging/gpg-recv-key [email protected] "9CCE 9A8D 5328 FBD6 CE29  6DCC 63DF 1E44 D829 797E"
+ - ./packaging/gpg-recv-key [email protected] "4DFF 624A E564 3B51 2872  1F40 29CA 3358 89B9 A863"
  # Run the commit hooks in case the developer didn't
  - git diff 4b825dc642cb6eb9a060e54bf8d69288fbee4904 | ./packaging/check-files -
 script:

packaging/README.md

@@ -18,8 +18,6 @@ and post-release update.
 Programs and packages with specific needs should create extra
 `whatever.functions` and supporting scripts in a subdirectory.
 
-The `gpg.keys` file is a list of keys that can be expected to sign
-tags and packages.
 
 Making a release
 ----------------

packaging/gpg-recv-key

@@ -0,0 +1,65 @@
+#!/bin/sh
+
+if [ ! "$KEYSERVER" ]
+then
+  echo "No KEYSERVER environment set, e.g.:"
+  echo "  export KEYSERVER=hkps://hkps.pool.sks-keyservers.net"
+  exit 1
+fi
+
+debug=""
+if [ "$debug" ]
+then
+  if [ ! "$GNUPGHOME" ]
+  then
+    echo "No GNUPGHOME environment set, e.g.:"
+    echo "  export GNUPGHOME=$HOME/.gnupg"
+    exit 1
+  fi
+
+  if [ ! -d "$GNUPGHOME" ]
+  then
+    mkdir -p "$GNUPGHOME"
+    chmod 700 "$GNUPGHOME"
+  fi
+fi
+
+keyuid="$1"
+fingerprint="$2"
+
+# Modern GPG can import key by fingerprint but the version available
+# within travis currently does not, so we extract the short version and
+# check it matches manually
+key=`echo $fingerprint | cut -f7-10 -d' ' | tr -d ' '`
+
+gpg --keyserver "$KEYSERVER" --recv-key "$key" || exit 1
+gpg --fingerprint "$key" > /tmp/keystatus.$$
+status=$?
+
+cat /tmp/keystatus.$$
+if [ $status -ne 0 ]
+then
+  rm -f /tmp/keystatus.$$
+  exit 2
+fi
+
+if ! grep -q "^uid.*<$keyuid>" /tmp/keystatus.$$
+then
+  rm -f /tmp/keystatus.$$
+  echo "Did not find expected uid $keyuid"
+  exit 3
+fi
+
+echo "uid looks good"
+
+if ! grep -q " $fingerprint$" /tmp/keystatus.$$
+then
+  rm -f /tmp/keystatus.$$
+  echo "Did not find expected fingerprint $fingerprint"
+  exit 3
+fi
+
+echo "Fingerprint looks good"
+
+rm -f /tmp/keystatus.$$
+exit 0