Skip to content

Commit c4072a3

Browse files
eramongodberamongodb
authored
CXX-3002 fix keyring and trust level when verifying GPG signatures (#1390)
1 parent c4c2761 commit c4072a3

File tree

2 files changed

+8
-3
lines changed

2 files changed

+8
-3
lines changed

etc/garasign_dist_file.sh

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -58,5 +58,7 @@ plugin_commands=(
5858
GNUPGHOME="$(mktemp -d)"
5959
export GNUPGHOME
6060
curl -sS https://pgp.mongodb.com/cpp-driver.pub | gpg -q --no-default-keyring --import -
61-
gpgv "${dist_file_signed:?}" "${dist_file:?}"
61+
gpg -q --import-ownertrust <<<"DC7F679B8A34DD606C1E54CAC4FC994D21532195:6:" # Set trust to "ultimate".
62+
gpg -q --update-trustdb
63+
gpg -q --verify "${dist_file_signed:?}" "${dist_file:?}"
6264
)

etc/garasign_release_tag.sh

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,8 +48,9 @@ git_tag_command=(
4848
"\"${release_tag:?}\""
4949
)
5050
plugin_commands=""
51-
plugin_commands+="gpg --list-key DC7F679B8A34DD606C1E54CAC4FC994D21532195"
52-
plugin_commands+="&& ${git_tag_command[*]:?}"
51+
plugin_commands+="gpg -q --update-trustdb"
52+
plugin_commands+=" && gpg --list-key DC7F679B8A34DD606C1E54CAC4FC994D21532195"
53+
plugin_commands+=" && ${git_tag_command[*]:?}"
5354
"${launcher:?}" run \
5455
--env-file="${garasign_creds:?}" \
5556
-e "PLUGIN_COMMANDS=${plugin_commands:?}" \
@@ -63,5 +64,7 @@ plugin_commands+="&& ${git_tag_command[*]:?}"
6364
GNUPGHOME="$(mktemp -d)"
6465
export GNUPGHOME
6566
curl -sS https://pgp.mongodb.com/cpp-driver.pub | gpg -q --no-default-keyring --import -
67+
gpg -q --import-ownertrust <<<"DC7F679B8A34DD606C1E54CAC4FC994D21532195:6:" # Set trust to "ultimate".
68+
gpg -q --update-trustdb
6669
git verify-tag "${release_tag:?}"
6770
)

0 commit comments

Comments
 (0)