From 49bc0a3afbbe3740bb857b530440364b021a865f Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Fri, 17 Jun 2022 19:57:17 -0300
Subject: [PATCH 5/5] Use python3-gpg instead of python3-gnupg

The former uses GPGME and is the recommended way of using GnuPG from
applications, by the GnuPG initiative, as it provides a better
documented API [1][2].

python-gpg is also already present in some distros, e.g. Fedora and
CentOS Stream, as it is a dependency of their package manager (dnf).

It is also available in other major distros such as Debian, Ubuntu,
OpenSUSE, so no disruptions are to be expected regarding packaging.

[1] https://gnupg.org/software/gpgme/index.html
[2] https://wiki.python.org/moin/GnuPrivacyGuard
---
 installer.sh       |  6 +++---
 keylime/signing.py | 27 +++++++++++++--------------
 requirements.txt   |  3 +--
 3 files changed, 17 insertions(+), 19 deletions(-)

diff --git a/installer.sh b/installer.sh
index 6618e1d..4355b33 100755
--- a/installer.sh
+++ b/installer.sh
@@ -58,7 +58,7 @@ case "$ID" in
         echo "${ID} selected."
         PACKAGE_MGR=$(command -v apt-get)
         PYTHON_PREIN="git patch"
-        PYTHON_DEPS="python3 python3-pip python3-dev python3-setuptools python3-zmq python3-tornado python3-cryptography python3-requests python3-psutil gcc g++ libssl-dev swig python3-yaml python3-gnupg python3-lark wget"
+        PYTHON_DEPS="python3 python3-pip python3-dev python3-setuptools python3-zmq python3-tornado python3-cryptography python3-requests python3-psutil gcc g++ libssl-dev swig python3-yaml python3-gpg python3-lark wget"
         if [ "$(uname -m)" = "x86_64" ]; then
             PYTHON_DEPS+=" libefivar-dev"
         fi
@@ -96,7 +96,7 @@ case "$ID" in
                 PACKAGE_MGR=$(command -v dnf)
                 NEED_EPEL=1
                 PYTHON_PREIN="python3 python3-devel python3-setuptools python3-pip"
-                PYTHON_DEPS="gcc gcc-c++ openssl-devel python3-yaml python3-requests swig python3-cryptography wget git python3-tornado python3-zmq python3-gnupg python3-psutil"
+                PYTHON_DEPS="gcc gcc-c++ openssl-devel python3-yaml python3-requests swig python3-cryptography wget git python3-tornado python3-zmq python3-gpg python3-psutil"
                 if [ "$(uname -m)" = "x86_64" ]; then
                     PYTHON_DEPS+=" efivar-libs"
                 fi
@@ -116,7 +116,7 @@ case "$ID" in
         echo "${ID} selected."
         PACKAGE_MGR=$(command -v dnf)
         PYTHON_PREIN="python3 python3-devel python3-setuptools git wget patch"
-        PYTHON_DEPS="python3-pip gcc gcc-c++ openssl-devel swig python3-pyyaml python3-zmq python3-cryptography python3-tornado python3-requests python3-gnupg yaml-cpp-devel procps-ng python3-psutil python3-lark-parser"
+        PYTHON_DEPS="python3-pip gcc gcc-c++ openssl-devel swig python3-pyyaml python3-zmq python3-cryptography python3-tornado python3-requests python3-gpg yaml-cpp-devel procps-ng python3-psutil python3-lark-parser"
         if [ "$(uname -m)" = "x86_64" ]; then
             PYTHON_DEPS+=" efivar-devel"
         fi
diff --git a/keylime/signing.py b/keylime/signing.py
index 1353c1e..a1be9c7 100644
--- a/keylime/signing.py
+++ b/keylime/signing.py
@@ -5,7 +5,7 @@ Copyright 2017 Massachusetts Institute of Technology.
 
 import tempfile
 
-import gnupg
+import gpg
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.asymmetric import ec
@@ -55,19 +55,18 @@ def verify_signature(key, sig, file):
 
     # PGP
     if key_header == "-----BEGIN PGP PUBLIC KEY BLOCK-----":
-        gpg = gnupg.GPG()
-        logger.debug("Importing GPG key")
-        gpg_imported = gpg.import_keys(key.decode("utf-8"))
-        if gpg_imported.count == 1:  # pylint: disable=E1101
-            logger.debug("GPG key successfully imported")
-        else:
-            raise Exception("Unable to import GPG key")
-
-        # The Python PGP library won't let you read a signature from memory, hence this hack.
-        with tempfile.NamedTemporaryFile() as temp_sig:
-            temp_sig.write(sig)
-            temp_sig.flush()
-            verified = gpg.verify_data(temp_sig.name, file)
+        verified = False
+        with tempfile.TemporaryDirectory() as gpg_homedir:
+            ctx = gpg.Context(home_dir=gpg_homedir)
+            try:
+                logger.debug("Importing GPG key")
+                result = ctx.key_import(key)
+            except Exception as e:
+                raise Exception("Unable to import GPG key") from e
+
+            if result is not None and hasattr(result, "considered") is True:
+                _, result = ctx.verify(file, sig)
+                verified = result.signatures[0].status == 0
 
     # OpenSSL
     elif key_header == "-----BEGIN PUBLIC KEY-----":
diff --git a/requirements.txt b/requirements.txt
index d31eabc..ca3fac3 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,8 +10,7 @@ pyyaml>=3.11 # MIT
 requests>=2.6 # Apache-2.0
 sqlalchemy>=1.3 # MIT
 alembic>=1.1.0 # MIT
-python-gnupg>=0.4.6 # BSD
 packaging>=20.0 #BSD
 psutil>=5.4.2 # BSD
 # Note that lark was renamed from lark-parser with 1.0.0 release
-lark>=1.0.0 # MIT
\ No newline at end of file
+lark>=1.0.0 # MIT
-- 
2.35.1