Skip to content

Commit 3de2dfb

Browse files
richlanderCopilot
andauthored
Use gpgv instead of gpg for Release signature verification in install-debs.py (#17024)
Co-authored-by: Rich Lander <richlander@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent bace0c9 commit 3de2dfb

1 file changed

Lines changed: 6 additions & 2 deletions

File tree

eng/common/cross/install-debs.py

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -121,10 +121,14 @@ async def fetch_release_file(session, mirror, suite, keyring):
121121
await download_file(session, release_gpg_url, release_gpg_file.name)
122122

123123
print("Verifying signature of Release with Release.gpg.")
124-
verify_command = ["gpg"]
124+
# Use gpgv rather than gpg for verification. gpgv verifies a detached
125+
# signature against a fixed keyring without involving gpg-agent or
126+
# keyboxd, which makes it robust on hosts running GnuPG 2.4+ (e.g. Azure
127+
# Linux) where "gpg --keyring" routes through keyboxd and can fail.
128+
verify_command = ["gpgv"]
125129
if keyring:
126130
verify_command += ["--keyring", keyring]
127-
verify_command += ["--verify", release_gpg_file.name, release_file.name]
131+
verify_command += [release_gpg_file.name, release_file.name]
128132
result = subprocess.run(verify_command, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
129133

130134
if result.returncode != 0:

0 commit comments

Comments
 (0)