Config option to allow gpg warning suppression (#13744)

Add a configuration option to suppress gpg warnings during binary package verification. This only suppresses warnings: a gpg failure will still fail the install. This allows users who have already explicitly trusted the gpg key they are using to avoid seeing repeated warnings that it is self-signed.

Config option to allow gpg warning suppression (#13744)
74e04b7e · Greg Becker · Peter Scheibel · 28163cb3 · 74e04b7e · 74e04b7e
Commit 74e04b7e authored 5 years ago by Greg Becker Committed by Peter Scheibel 5 years ago
--- a/etc/spack/defaults/config.yaml
+++ b/etc/spack/defaults/config.yaml
@@ -80,6 +80,14 @@ config:
  verify_ssl: true
+  # Suppress gpg warnings from binary package verification
+  # Only suppresses warnings, gpg failure will still fail the install
+  # Potential rationale to set True: users have already explicitly trusted the
+  # gpg key they are using, and may not want to see repeated warnings that it
+  # is self-signed or something of the sort.
+  suppress_gpg_warnings: false
  # If set to true, Spack will attempt to build any compiler on the spec
  # that is not already available. If set to False, Spack will only use
  # compilers already configured in compilers.yaml

--- a/lib/spack/spack/binary_distribution.py
+++ b/lib/spack/spack/binary_distribution.py
@@ -21,6 +21,7 @@
 from llnl.util.filesystem import mkdirp, install_tree
 import spack.cmd
+import spack.config as config
 import spack.fetch_strategy as fs
 import spack.util.gpg as gpg_util
 import spack.relocate as relocate
@@ -592,7 +593,8 @@ def extract_tarball(spec, filename, allow_root=False, unsigned=False,
    if not unsigned:
        if os.path.exists('%s.asc' % specfile_path):
            try:
-                Gpg.verify('%s.asc' % specfile_path, specfile_path)
+                suppress = config.get('config:suppress_gpg_warnings', False)
+                Gpg.verify('%s.asc' % specfile_path, specfile_path, suppress)
            except Exception as e:
                shutil.rmtree(tmpdir)
                tty.die(e)

--- a/lib/spack/spack/schema/config.py
+++ b/lib/spack/spack/schema/config.py
@@ -56,6 +56,7 @@
            'source_cache': {'type': 'string'},
            'misc_cache': {'type': 'string'},
            'verify_ssl': {'type': 'boolean'},
+            'suppress_gpg_warnings': {'type': 'boolean'},
            'install_missing_compilers': {'type': 'boolean'},
            'debug': {'type': 'boolean'},
            'checksum': {'type': 'boolean'},

--- a/lib/spack/spack/util/gpg.py
+++ b/lib/spack/spack/util/gpg.py
@@ -100,8 +100,11 @@ def sign(cls, key, file, output, clearsign=False):
        cls.gpg()(*args)
    @classmethod
-    def verify(cls, signature, file):
+    def verify(cls, signature, file, suppress_warnings=False):
-        cls.gpg()('--verify', signature, file)
+        if suppress_warnings:
+            cls.gpg()('--verify', signature, file, error=str)
+        else:
+            cls.gpg()('--verify', signature, file)
    @classmethod
    def list(cls, trusted, signing):