[Libguestfs] [PATCH 2/3] builder: trust the imported keys

[Pino Toscano]

In every SigChecker, trust by default the keys imported.
This should make gpg happier when using the keys later, used only when
validating the signatures of index files.
---
 builder/sigchecker.ml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/builder/sigchecker.ml b/builder/sigchecker.ml
index a1a4220..b54977f 100644
--- a/builder/sigchecker.ml
+++ b/builder/sigchecker.ml
@@ -33,7 +33,7 @@ type t = {
 }
 
 (* Import the specified key file. *)
-let import_keyfile ~gpg ~gpghome ~verbose keyfile =
+let import_keyfile ~gpg ~gpghome ~verbose ?(trust = true) keyfile =
   let status_file = Filename.temp_file "vbstat" ".txt" in
   unlink_on_exit status_file;
   let cmd = sprintf "%s --homedir %s --status-file %s --import %s%s"
@@ -45,14 +45,25 @@ let import_keyfile ~gpg ~gpghome ~verbose keyfile =
     error (f_"could not import public key\nUse the '-v' option and look for earlier error messages.");
   let status = read_whole_file status_file in
   let status = string_nsplit "\n" status in
+  let key_id = ref "" in
   let fingerprint = ref "" in
   List.iter (
     fun line ->
       let line = string_nsplit " " line in
       match line with
       | "[GNUPG:]" :: "IMPORT_OK" :: _ :: fp :: _ -> fingerprint := fp
+      | "[GNUPG:]" :: "IMPORTED" :: key :: _ -> key_id := key
       | _ -> ()
   ) status;
+  if trust then (
+    let cmd = sprintf "%s --homedir %s --trusted-key %s --list-keys%s"
+      gpg gpghome (quote !key_id)
+      (if verbose then "" else " >/dev/null 2>&1") in
+    if verbose then printf "%s\n%!" cmd;
+    let r = Sys.command cmd in
+    if r <> 0 then
+      error (f_"GPG failure: could not trust the imported key\nUse the '-v' option and look for earlier error messages.");
+  );
   !fingerprint
 
 let rec create ~verbose ~gpg ~gpgkey ~check_signature =
-- 
2.1.0