Commit 40aa8198 authored by intrigeri's avatar intrigeri

Release process: generate the expected OpenPGP signature verification output...

Release process: generate the expected OpenPGP signature verification output in a more deterministic way (refs: #16585)

Using --trusted-key avoids this warning:

  gpg: WARNING: This key is not certified with a trusted signature!
  gpg:          There is no indication that the signature belongs to the owner.

… and makes our signing key trusted at the "ultimate" level.

So let's also s/ultimate/full/ to stick closer to what users should
get once they verify our key via the WoT and certify it locally.
parent a494cecd
......@@ -95,6 +95,7 @@ Also export the following environment variables:
* `RELEASE_CHECKOUT`: a checkout of the branch of the main Tails Git
repository used to prepare the release (`stable` or `testing`).
* `TAILS_SIGNATURE_KEY=A490D0F4D311A4153E2BB7CADBB802B258ACD84F`
* `TAILS_SIGNATURE_KEY_LONG_ID=$(echo "${TAILS_SIGNATURE_KEY:?}"perl -nE 'say substr($_, -17)')`
* `IUK_CHECKOUT`: a checkout of the relevant tag of the `iuk`
Git repository.
* `PERL5LIB_CHECKOUT`: a checkout of the relevant tag of the
......@@ -1196,10 +1197,12 @@ Rename, copy, garbage collect and update various files:
cut -f 5 -d ' ' | sed -r 's/(.+)([MG])/\1 \2B/' \
> "${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_img_size.html" && \
gpg --check-trustdb && \
LANG=C TZ=UTC gpg --no-options --keyid-format long --verify "${ISO_PATH:?}.sig" "${ISO_PATH:?}" 2>&1 | \
LANG=C TZ=UTC gpg --no-options --keyid-format long --trusted-key "${TAILS_SIGNATURE_KEY_LONG_ID:?}" --verify "${ISO_PATH:?}.sig" "${ISO_PATH:?}" 2>&1 | \
perl -pE 's/\[ultimate\]$/[full]/' | \
sed 's/ /\&nbsp;/g;s/</\&lt;/;s/>/\&gt;/;s/$/<br\/>/g' > \
"${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_iso_gpg_signature_output.html" && \
LANG=C TZ=UTC gpg --no-options --keyid-format long --verify "${IMG_PATH:?}.sig" "${IMG_PATH:?}" 2>&1 | \
LANG=C TZ=UTC gpg --no-options --keyid-format long --trusted-key "${TAILS_SIGNATURE_KEY_LONG_ID:?}" --verify "${IMG_PATH:?}.sig" "${IMG_PATH:?}" 2>&1 | \
perl -pE 's/\[ultimate\]$/[full]/' | \
sed 's/ /\&nbsp;/g;s/</\&lt;/;s/>/\&gt;/;s/$/<br\/>/g' > \
"${RELEASE_CHECKOUT:?}/wiki/src/inc/stable_amd64_img_gpg_signature_output.html"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment