Config option to allow gpg warning suppression (#13744)

Add a configuration option to suppress gpg warnings during binary package verification. This only suppresses warnings: a gpg failure will still fail the install. This allows users who have already explicitly trusted the gpg key they are using to avoid seeing repeated warnings that it is self-signed.
2019-11-14 16:22:19 -08:00 · 2019-11-14 16:22:19 -08:00 · 74e04b7e20
commit 74e04b7e20
parent 28163cb34f
4 changed files with 17 additions and 3 deletions
--- a/etc/spack/defaults/config.yaml
+++ b/etc/spack/defaults/config.yaml
@ -80,6 +80,14 @@ config:
  verify_ssl: true


+  # Suppress gpg warnings from binary package verification
+  # Only suppresses warnings, gpg failure will still fail the install
+  # Potential rationale to set True: users have already explicitly trusted the
+  # gpg key they are using, and may not want to see repeated warnings that it
+  # is self-signed or something of the sort.
+  suppress_gpg_warnings: false
+
+
  # If set to true, Spack will attempt to build any compiler on the spec
  # that is not already available. If set to False, Spack will only use
  # compilers already configured in compilers.yaml
--- a/lib/spack/spack/binary_distribution.py
+++ b/lib/spack/spack/binary_distribution.py
@ -21,6 +21,7 @@
 from llnl.util.filesystem import mkdirp, install_tree

 import spack.cmd
+import spack.config as config
 import spack.fetch_strategy as fs
 import spack.util.gpg as gpg_util
 import spack.relocate as relocate
@ -592,7 +593,8 @@ def extract_tarball(spec, filename, allow_root=False, unsigned=False,
    if not unsigned:
        if os.path.exists('%s.asc' % specfile_path):
            try:
-                Gpg.verify('%s.asc' % specfile_path, specfile_path)
+                suppress = config.get('config:suppress_gpg_warnings', False)
+                Gpg.verify('%s.asc' % specfile_path, specfile_path, suppress)
            except Exception as e:
                shutil.rmtree(tmpdir)
                tty.die(e)
--- a/lib/spack/spack/schema/config.py
+++ b/lib/spack/spack/schema/config.py
@ -56,6 +56,7 @@
            'source_cache': {'type': 'string'},
            'misc_cache': {'type': 'string'},
            'verify_ssl': {'type': 'boolean'},
+            'suppress_gpg_warnings': {'type': 'boolean'},
            'install_missing_compilers': {'type': 'boolean'},
            'debug': {'type': 'boolean'},
            'checksum': {'type': 'boolean'},
--- a/lib/spack/spack/util/gpg.py
+++ b/lib/spack/spack/util/gpg.py
@ -100,8 +100,11 @@ def sign(cls, key, file, output, clearsign=False):
        cls.gpg()(*args)

    @classmethod
-    def verify(cls, signature, file):
-        cls.gpg()('--verify', signature, file)
+    def verify(cls, signature, file, suppress_warnings=False):
+        if suppress_warnings:
+            cls.gpg()('--verify', signature, file, error=str)
+        else:
+            cls.gpg()('--verify', signature, file)

    @classmethod
    def list(cls, trusted, signing):