From 74e04b7e2003cf6bce5471fe5f3e9663c008a97b Mon Sep 17 00:00:00 2001 From: Greg Becker Date: Thu, 14 Nov 2019 16:22:19 -0800 Subject: Config option to allow gpg warning suppression (#13744) Add a configuration option to suppress gpg warnings during binary package verification. This only suppresses warnings: a gpg failure will still fail the install. This allows users who have already explicitly trusted the gpg key they are using to avoid seeing repeated warnings that it is self-signed. --- etc/spack/defaults/config.yaml | 8 ++++++++ lib/spack/spack/binary_distribution.py | 4 +++- lib/spack/spack/schema/config.py | 1 + lib/spack/spack/util/gpg.py | 7 +++++-- 4 files changed, 17 insertions(+), 3 deletions(-) diff --git a/etc/spack/defaults/config.yaml b/etc/spack/defaults/config.yaml index 6be1d9770b..3aadccfda1 100644 --- a/etc/spack/defaults/config.yaml +++ b/etc/spack/defaults/config.yaml @@ -80,6 +80,14 @@ config: verify_ssl: true + # Suppress gpg warnings from binary package verification + # Only suppresses warnings, gpg failure will still fail the install + # Potential rationale to set True: users have already explicitly trusted the + # gpg key they are using, and may not want to see repeated warnings that it + # is self-signed or something of the sort. + suppress_gpg_warnings: false + + # If set to true, Spack will attempt to build any compiler on the spec # that is not already available. If set to False, Spack will only use # compilers already configured in compilers.yaml diff --git a/lib/spack/spack/binary_distribution.py b/lib/spack/spack/binary_distribution.py index 23e5126303..3b10cca180 100644 --- a/lib/spack/spack/binary_distribution.py +++ b/lib/spack/spack/binary_distribution.py @@ -21,6 +21,7 @@ import llnl.util.tty as tty from llnl.util.filesystem import mkdirp, install_tree import spack.cmd +import spack.config as config import spack.fetch_strategy as fs import spack.util.gpg as gpg_util import spack.relocate as relocate @@ -592,7 +593,8 @@ def extract_tarball(spec, filename, allow_root=False, unsigned=False, if not unsigned: if os.path.exists('%s.asc' % specfile_path): try: - Gpg.verify('%s.asc' % specfile_path, specfile_path) + suppress = config.get('config:suppress_gpg_warnings', False) + Gpg.verify('%s.asc' % specfile_path, specfile_path, suppress) except Exception as e: shutil.rmtree(tmpdir) tty.die(e) diff --git a/lib/spack/spack/schema/config.py b/lib/spack/spack/schema/config.py index 6eb127a359..7d170bbc91 100644 --- a/lib/spack/spack/schema/config.py +++ b/lib/spack/spack/schema/config.py @@ -56,6 +56,7 @@ properties = { 'source_cache': {'type': 'string'}, 'misc_cache': {'type': 'string'}, 'verify_ssl': {'type': 'boolean'}, + 'suppress_gpg_warnings': {'type': 'boolean'}, 'install_missing_compilers': {'type': 'boolean'}, 'debug': {'type': 'boolean'}, 'checksum': {'type': 'boolean'}, diff --git a/lib/spack/spack/util/gpg.py b/lib/spack/spack/util/gpg.py index a5c10d2151..a7d1a3d8fa 100644 --- a/lib/spack/spack/util/gpg.py +++ b/lib/spack/spack/util/gpg.py @@ -100,8 +100,11 @@ class Gpg(object): cls.gpg()(*args) @classmethod - def verify(cls, signature, file): - cls.gpg()('--verify', signature, file) + def verify(cls, signature, file, suppress_warnings=False): + if suppress_warnings: + cls.gpg()('--verify', signature, file, error=str) + else: + cls.gpg()('--verify', signature, file) @classmethod def list(cls, trusted, signing): -- cgit v1.2.3-70-g09d2