From 548dad674dd2e2e59402981522676284eee6cee5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Mas=C5=82owski?= <mtjm@mtjm.eu>
Date: Sun, 26 Oct 2014 20:22:07 +0100
Subject: db-list-unsigned-packages.py: support listing keys that signed the
 packages.

---
 db-list-unsigned-packages.py | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/db-list-unsigned-packages.py b/db-list-unsigned-packages.py
index 36be93a..80cff51 100755
--- a/db-list-unsigned-packages.py
+++ b/db-list-unsigned-packages.py
@@ -21,23 +21,35 @@ unsigned packages in the database at standard input of repo named in
 the first argument and specified for architectures listed in the
 following arguments (usually the one of the database or any, default
 is to list all).
+
+If the --keyset argument is passed, print the key fingerprint of every
+signed package.
 """
 
 
+import base64
+import subprocess
 import sys
 import tarfile
 
 
 def main():
     """Do the job."""
+    check_keys = False
+    if "--keyset" in  sys.argv:
+        sys.argv.remove("--keyset")
+        check_keys = True
     repo = sys.argv[1]
     pkgarches = frozenset(name.encode("utf-8") for name in sys.argv[2:])
+    packages = []
+    keys = []
     with tarfile.open(fileobj=sys.stdin.buffer) as archive:
         for entry in archive:
             if entry.name.endswith("/desc"):
                 content = archive.extractfile(entry)
                 skip = False
                 is_arch = False
+                key = None
                 for line in content:
                     if is_arch:
                         is_arch = False
@@ -46,12 +58,38 @@ def main():
                             break
                     if line == b"%PGPSIG%\n":
                         skip = True  # signed
-                        break
+                        key = b""
+                        if check_keys:
+                            continue
+                        else:
+                            break
                     if line == b"%ARCH%\n":
                         is_arch = True
+                        continue
+                    if key is not None:
+                        if line.strip():
+                            key += line.strip()
+                        else:
+                            break
+                if check_keys and key:
+                    key_binary = base64.b64decode(key)
+                    keys.append(key_binary)
+                    packages.append(repo + "/" + entry.name[:-5])
                 if skip:
                     continue
                 print(repo + "/" + entry.name[:-5])
+    if check_keys and keys:
+        # We have collected all signed package names in packages and
+        # all keys in keys.  Let's now ask gpg to list all signatures
+        # and find which keys made them.
+        packets = subprocess.check_output(("gpg", "--list-packets"),
+                                          input=b"".join(keys))
+        i = 0
+        for line in packets.decode("latin1").split("\n"):
+            if line.startswith(":signature packet:"):
+                keyid = line[line.index("keyid ") + len("keyid "):]
+                print(packages[i], keyid)
+                i += 1
 
 
 if __name__ == "__main__":
-- 
cgit v1.2.3