From 1fce5bde33244b28e6a601da6396774e7ee870e2 Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Tue, 28 Nov 2023 14:21:46 -0800
Subject: update-02-gpg: improve trust chain check, but also workaround
 behavior bug

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 local/update-02-gpg | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/local/update-02-gpg b/local/update-02-gpg
index e61c7aa..79fbff4 100755
--- a/local/update-02-gpg
+++ b/local/update-02-gpg
@@ -60,10 +60,25 @@ case ${VERIFY_SIGS} in
 		# create a dedicated GNUPGHOME
 		TMPHOME=$(mktemp -d)
 		trap 'rm -rf "${TMPHOME}"' EXIT
-		# transfer the keys
+		# transfer the keys:
+		# - ONLY for the developer in question
+		# - and chain to L1
+		CHAIN=(
+		ABD00913019D6354BA1D9A132839FE0D796198B1 # openpgp-auth+l1@gentoo.org
+		2C13823B8237310FA213034930D132FF0FF50EEB # openpgp-auth+l2-dev@gentoo.org
+		18F703D702B1B9591373148C55D3238EC050396E # openpgp-auth+l2-srv@gentoo.org
+		)
 		gpg -q --export "${GOOD_KEYS[@]}" | GNUPGHOME=${TMPHOME} gpg -q --import
 		# use new GNUGPHOME to restrict to dev's keys
 		export GNUPGHOME=${TMPHOME}
+		cat >>$GNUPGHOME/gpg.conf <<-EOF
+		# Workaround for chain trust issue
+		trust-model always
+		EOF
+		for _k in "${CHAIN[@]}" ; do
+		  echo "trusted-key $_k" >> $GNUPGHOME/gpg.conf
+		done
+		#GNUPGHOME=${TMPHOME} gpg --check-trustdb
 		;;
 	no)
 		;;
-- 
cgit v1.2.3-65-gdbad