From 9804a9d401e7f0956540aaa87e8e2892e6e00562 Mon Sep 17 00:00:00 2001
From: Ayush Ranjan <ayushranjan@google.com>
Date: Mon, 7 Sep 2020 21:16:22 -0700
Subject: Fix make_apt script.

This change makes the following fixes:
- When creating a test repo.key, create a secret keyring as other workflows
  also use secret keyrings only.
- We should not be using both --keyring and --secret-keyring options. Just use
  --secret-keyring.
- Pass homedir to all gpg commands. dpkg-sig takes an arg -g which stands for
  gpgopts. So we need to pass the homedir there too.

PiperOrigin-RevId: 330443280
---
 tools/make_apt.sh | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'tools')

diff --git a/tools/make_apt.sh b/tools/make_apt.sh
index fdc5e9192..13c5edd76 100755
--- a/tools/make_apt.sh
+++ b/tools/make_apt.sh
@@ -58,6 +58,7 @@ mkdir -p "${release}"
 # using the same key. This is a limitation in GnuPG pre-2.1.
 declare -r keyring=$(mktemp /tmp/keyringXXXXXX.gpg)
 declare -r homedir=$(mktemp -d /tmp/homedirXXXXXX)
+declare -r gpg_opts=("--no-default-keyring" "--secret-keyring" "${keyring}" "--homedir" "${homedir}")
 cleanup() {
   rm -rf "${keyring}" "${homedir}"
 }
@@ -67,8 +68,8 @@ trap cleanup EXIT
 # is not found. This isn't actually a failure for us, because we don't require
 # the public key (this may be stored separately). The second import will succeed
 # because, in reality, the first import succeeded and it's a no-op.
-gpg --no-default-keyring --keyring "${keyring}" --homedir "${homedir}" --import "${private_key}" || \
-  gpg --no-default-keyring --keyring "${keyring}" --homedir "${homedir}" --import "${private_key}"
+gpg "${gpg_opts[@]}" --import "${private_key}" || \
+  gpg "${gpg_opts[@]}" --import "${private_key}"
 
 # Copy the packages into the root.
 for pkg in "$@"; do
@@ -103,7 +104,8 @@ for pkg in "$@"; do
   cp -a "${pkg}" "${target}"
   chmod 0644 "${target}"
   if [[ "${ext}" == "deb" ]]; then
-    dpkg-sig -g "--no-default-keyring --keyring ${keyring}" --sign builder "${target}"
+    # We use [*] here to expand the gpg_opts array into a single shell-word.
+    dpkg-sig -g "${gpg_opts[*]}" --sign builder "${target}"
   fi
 done
 
@@ -138,5 +140,5 @@ rm "${release}"/apt.conf
 # Sign the release.
 declare -r digest_opts=("--digest-algo" "SHA512" "--cert-digest-algo" "SHA512")
 (cd "${release}" && rm -f Release.gpg InRelease)
-(cd "${release}" && gpg --no-default-keyring --keyring "${keyring}" --clearsign "${digest_opts[@]}" -o InRelease Release)
-(cd "${release}" && gpg --no-default-keyring --keyring "${keyring}" -abs "${digest_opts[@]}" -o Release.gpg Release)
+(cd "${release}" && gpg "${gpg_opts[@]}" --clearsign "${digest_opts[@]}" -o InRelease Release)
+(cd "${release}" && gpg "${gpg_opts[@]}" -abs "${digest_opts[@]}" -o Release.gpg Release)
-- 
cgit v1.2.3