[gpg] Set GPG home directory when reading signature IDs. Fixes JB#44305

GPG will not start unless it finds or can create ~/.gnupg for its conf and keyrings, and PackageKit runs without a valid home. For every other key operation it sets the home to temporary directories containing general or trusted keyrings, but reading a signature ID from a file shouldn't need one so it's not done right now. Also, zypp shouldn't ever touch the user's keyrings, as it should operate exclusively with keys from the RPM db. This patch sets the keyring to the general keyring home for this call. It fixes PackageKit, and prevents a permanent ~/.gnupg from being created.
sailfishos · Jan 23, 2019 · 3cb7643 · 3cb7643
1 parent b38f5be
commit 3cb7643
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/rpm/0007-Set-GPG-homedir-when-reading-signatures.patch b/rpm/0007-Set-GPG-homedir-when-reading-signatures.patch
@@ -0,0 +1,22 @@
+From 11d772131cf682b153071ec5a8b6986091c3ab75 Wed, 23 Jan 2019 09:07:33 +0100
+From: Andrew Branson <andrew.branson@jollamobile.com>
+Date: Wed, 23 Jan 2019 09:06:03 +0100
+Subject: [PATCH] Set GPG homedir when reading signatures. GPG won't start without a valid one.
+
+Not being able to create ~/.gnupg is a fatal error on startup for GPG
+
+diff --git a/zypp/KeyRing.cc b/zypp/KeyRing.cc
+index d9e0c9a..c39b872 100644
+--- a/zypp/KeyRing.cc
++++ b/zypp/KeyRing.cc
+@@ -564,6 +564,10 @@
+       return std::string();
+     }
+
++    if(!ctx->setHomedir(generalKeyRing())) {
++      ZYPP_THROW(KeyRingException(_("General keyring not found")));
++    }
++
+     std::list<std::string> fprs = ctx->readSignatureFingerprints(signature);
+     if (fprs.size()) {
+       std::string &id = fprs.back();
diff --git a/rpm/libzypp.spec b/rpm/libzypp.spec
@@ -12,6 +12,7 @@ Patch3:         0003-Ensure-that-the-destination-path-for-applyi.patch
 Patch4:         0004-Set-unrestricted-auth-curl-option.patch
 Patch5:         0005-disable-doc.patch
 Patch6:         0006-libzypp-Enable-netrcoptional-on-libcurl-to-allow-for.patch
+Patch7:         0007-Set-GPG-homedir-when-reading-signatures.patch
 BuildRequires:  cmake
 BuildRequires:  openssl-devel
 BuildRequires:  libudev-devel
@@ -87,6 +88,7 @@ Authors:
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 
 %build
 mkdir -p build