whimsical-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From s...@apache.org
Subject [whimsy] branch master updated: Add CA cert for hkps pool processing
Date Tue, 17 Mar 2020 14:43:24 GMT
This is an automated email from the ASF dual-hosted git repository.

sebb pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/whimsy.git


The following commit(s) were added to refs/heads/master by this push:
     new a8d364f  Add CA cert for hkps pool processing
a8d364f is described below

commit a8d364fc614cb525e05fe8840a0ebb5da3581bbe
Author: Sebb <sebb@apache.org>
AuthorDate: Tue Mar 17 14:43:16 2020 +0000

    Add CA cert for hkps pool processing
---
 www/secretary/workbench/config.rb                           | 13 +++++++++++++
 .../workbench/views/actions/check-signature.json.rb         |  9 +++++++--
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/www/secretary/workbench/config.rb b/www/secretary/workbench/config.rb
index 767c03e..334bcae 100644
--- a/www/secretary/workbench/config.rb
+++ b/www/secretary/workbench/config.rb
@@ -15,3 +15,16 @@ end
 #
 
 GNUPGHOME = (Dir.exist?('/srv/gpg') ? '/srv/gpg' : nil)
+
+# sks keyserver certificate locations for use with hkps.pool.sks-keyservers.net
+# - whimsy on ubuntu
+# - macos
+%w{
+   /usr/share/gnupg2/sks-keyservers.netCA.pem 
+   /usr/local/gnupg-2.2/share/gnupg/sks-keyservers.netCA.pem
+  }.each do |cert|
+  if File.exist? cert
+    SKS_KEYSERVER_CERT = cert
+    break
+  end
+end
diff --git a/www/secretary/workbench/views/actions/check-signature.json.rb b/www/secretary/workbench/views/actions/check-signature.json.rb
index b0d27dd..c50c604 100644
--- a/www/secretary/workbench/views/actions/check-signature.json.rb
+++ b/www/secretary/workbench/views/actions/check-signature.json.rb
@@ -11,7 +11,7 @@ ENV['GNUPGHOME'] = GNUPGHOME if GNUPGHOME
 
 # Removed keys.openpgp.org as it does not return data such as email unless user specifically
allows this 
 #KEYSERVERS = %w{sks-keyservers.net keyserver.ubuntu.com} # don't seem to be working: bad
gateway
-KEYSERVERS = %w{pgp.ocf.berkeley.edu pgpkeys.uk}
+KEYSERVERS = %w{hkps.pool.sks-keyservers.net}
 
 # ** N.B. ensure the keyserver URI is known below **
 def getServerURI(server, keyid)
@@ -38,7 +38,12 @@ require 'net/http'
 # fetch the Key from the URI and store in the file
 def getURI(uri,file)
   uri = URI.parse(uri)
-  Net::HTTP.start(uri.host, uri.port, use_ssl: uri.scheme == 'https') do |https|
+  opts = {use_ssl: uri.scheme == 'https'}
+  # The pool needs a special CA cert
+  if SKS_KEYSERVER_CERT and uri.host == 'hkps.pool.sks-keyservers.net'
+    opts[:ca_file] = SKS_KEYSERVER_CERT
+  end
+  Net::HTTP.start(uri.host, uri.port, opts ) do |https|
     https.request_get(uri.request_uri) do |res|
       unless res.code == "200"
         raise Exception.new("Get #{uri} failed with #{res.code}: #{res.message}")


Mime
View raw message