summaryrefslogtreecommitdiff
path: root/extra/lukeshu-xbs/db-list-unsigned-packages.py
blob: 80cff5127e4d402e000daab85d7f215be3b8fec5 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/env python3
# Copyright (C) 2012  Michał Masłowski  <mtjm@mtjm.eu>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.


"""
Output a list of repo/package-name-and-version pairs representing
unsigned packages in the database at standard input of repo named in
the first argument and specified for architectures listed in the
following arguments (usually the one of the database or any, default
is to list all).

If the --keyset argument is passed, print the key fingerprint of every
signed package.
"""


import base64
import subprocess
import sys
import tarfile


def main():
    """Do the job."""
    check_keys = False
    if "--keyset" in  sys.argv:
        sys.argv.remove("--keyset")
        check_keys = True
    repo = sys.argv[1]
    pkgarches = frozenset(name.encode("utf-8") for name in sys.argv[2:])
    packages = []
    keys = []
    with tarfile.open(fileobj=sys.stdin.buffer) as archive:
        for entry in archive:
            if entry.name.endswith("/desc"):
                content = archive.extractfile(entry)
                skip = False
                is_arch = False
                key = None
                for line in content:
                    if is_arch:
                        is_arch = False
                        if pkgarches and line.strip() not in pkgarches:
                            skip = True  # different architecture
                            break
                    if line == b"%PGPSIG%\n":
                        skip = True  # signed
                        key = b""
                        if check_keys:
                            continue
                        else:
                            break
                    if line == b"%ARCH%\n":
                        is_arch = True
                        continue
                    if key is not None:
                        if line.strip():
                            key += line.strip()
                        else:
                            break
                if check_keys and key:
                    key_binary = base64.b64decode(key)
                    keys.append(key_binary)
                    packages.append(repo + "/" + entry.name[:-5])
                if skip:
                    continue
                print(repo + "/" + entry.name[:-5])
    if check_keys and keys:
        # We have collected all signed package names in packages and
        # all keys in keys.  Let's now ask gpg to list all signatures
        # and find which keys made them.
        packets = subprocess.check_output(("gpg", "--list-packets"),
                                          input=b"".join(keys))
        i = 0
        for line in packets.decode("latin1").split("\n"):
            if line.startswith(":signature packet:"):
                keyid = line[line.index("keyid ") + len("keyid "):]
                print(packages[i], keyid)
                i += 1


if __name__ == "__main__":
    main()