diff mbox series

[wotmate] Put a representation of the trust path in the key files

Message ID 20250325200120.1601271-2-u.kleine-koenig@baylibre.com (mailing list archive)
State New
Headers show
Series [wotmate] Put a representation of the trust path in the key files | expand

Commit Message

Uwe Kleine-König March 25, 2025, 8:01 p.m. UTC 
Up to now changes to the trust paths are hardly reviewable when looking
at the git history because they only have an effect on the generated
.svg. However these also change when the installed graphviz changes and
the diffs are hardly understandable.

For that reason put a text representation of the graph into the key
files.

A nice side effect of this change is that for a trust path

	Linus -> A -> B -> C

the graph for C is regenerated if B's trust path was shortend to

	Linus -> B
---
Hello Konstantin,

after applying this patch to wotmate all graphs in the pgpkeys repo get
updated on the next import. So I suggest to do something like:

	touch empty
	korg-update-pgpkeys empty

before this patch is applied. And then repeat that after patch
application to have the changes not intermixed with the next key update.
It might be a good idea to disable the lint step for this procedure to
be sure that all keys' graphs are updated?

Having said that I experimented with:

	cat keys/* > keyring
	korg-update-pgpkeys keyring

with the intention that the signatures by keys that were removed
recently are dropped. This introduces some changes however that I don't
understand. That might be related to

	https://dev.gnupg.org/T7583

(but I'm on Debian's 2.2.45 that doesn't suffer from the originally
reported problem).

 export-keyring.py | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

Comments

Konstantin Ryabitsev March 26, 2025, 3:16 p.m. UTC | #1 
On Tue, Mar 25, 2025 at 09:01:21PM +0100, Uwe Kleine-König wrote:
> Up to now changes to the trust paths are hardly reviewable when looking
> at the git history because they only have an effect on the generated
> .svg. However these also change when the installed graphviz changes and
> the diffs are hardly understandable.

Thanks for working on this. I was still not quite happy with the output, so I
changed it to something like this, which I think is more readable:

	pub   rsa4096 2022-09-23 [SC] [expires: 2027-03-20]
		  8234A35B45C0D26B31C1A2DA570338B018144F28
	uid                      Mattijs Korpershoek <mattijs.korpershoek@gmail.com>
	uid                      Mattijs Korpershoek <mkorpershoek@baylibre.com>
	uid                      Mattijs Korpershoek <mkorpershoek@kernel.org>
	sub   rsa2048 2025-03-20 [S] [expires: 2027-03-20]
		  2EE942A7B61F6ABE5313AD00190D1DB4664E1935
	sub   rsa2048 2025-03-20 [E] [expires: 2027-03-20]
		  F12C50B7B942A1FC14C1AA298A31723BB5DF5B73

	from  Linus Torvalds <torvalds@kernel.org>
	   1  Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	   2  Kevin Hilman <khilman@kernel.org>
	   3  Mattijs Korpershoek <mattijs.korpershoek@gmail.com>

	from  Linus Torvalds <torvalds@kernel.org>
	   1  John Hawley ("Warthog9") <warthog9@eaglescrag.net>
	   2  Ben Hutchings <bwh@kernel.org>
	   3  Uwe Kleine-König <uwe@kleine-koenig.org>
	   4  Mattijs Korpershoek <mattijs.korpershoek@gmail.com>

	-----BEGIN PGP PUBLIC KEY BLOCK-----

	...

I haven't rerun it on the pgpkeys export yet, because I'm wondering if we
can add the logic to only do this for newly changed keys, not for all
existing keys, precisely to avoid the "why did all the keys change" situation.

-K
diff mbox series

Patch

diff --git a/export-keyring.py b/export-keyring.py
index 6cf95f99738d..3e455f941b98 100755
--- a/export-keyring.py
+++ b/export-keyring.py
@@ -104,12 +104,20 @@  if __name__ == '__main__':
         args = ['-a', '--export', '--export-options', cmdargs.key_export_options, kid]
         keydata = wotmate.gpg_run_command(args, with_colons=False)
         keyout = os.path.join(keydir, '%s.asc' % kid)
+
+        key_paths = wotmate.get_key_paths(c, from_rowid, to_rowid, cmdargs.maxdepth, cmdargs.maxpaths)
+        if not len(key_paths):
+            logger.debug('Skipping %s due to invalid WoT', kid)
+            continue
+
+        key_paths_repr = '\n'.join('\n `-> '.join(wotmate.get_uiddata_by_pubrow(c, rowid) if rowid != to_rowid else "." for rowid in kp) for kp in key_paths).encode('utf-8')
+
         # Do we already have a file in place?
         if os.path.exists(keyout):
             # Load it up and see if it's different
             with open(keyout, 'rb') as fin:
                 old_keyexport = fin.read()
-                if old_keyexport.find(keydata) > 0:
+                if old_keyexport.find(keydata) > 0 and old_keyexport.find(key_paths_repr) > 0:
                     logger.debug('No changes for %s', kid)
                     continue
 
@@ -117,17 +125,12 @@  if __name__ == '__main__':
         args = ['--list-options', 'show-notations', '--list-options',
                 'no-show-uid-validity', '--with-subkey-fingerprints', '--list-key', kid]
         header = wotmate.gpg_run_command(args, with_colons=False)
-        keyexport = header + b'\n\n' + keydata + b'\n'
+        keyexport = header + b'\n\n' + key_paths_repr + b'\n\n' + keydata + b'\n'
 
         if not wotmate.lint(keydata):
             logger.debug('Skipping %s due to bad linter results', kid)
             continue
 
-        key_paths = wotmate.get_key_paths(c, from_rowid, to_rowid, cmdargs.maxdepth, cmdargs.maxpaths)
-        if not len(key_paths):
-            logger.debug('Skipping %s due to invalid WoT', kid)
-            continue
-
         with open(keyout, 'wb') as fout:
             fout.write(keyexport)
             logger.info('Wrote %s', keyout)