Merge pull request #7758 from guggero/gpg-homedir

scripts: use gpg --homedir flag to fix new behavior in 2.4

docs/release-notes/release-notes-0.17.0.md

@@ -168,6 +168,11 @@ unlock or create.
   `RPCCRTPATH`](https://github.com/lightningnetwork/lnd/pull/7429) to the
   `lnd` Docker image main script (`/start-lnd.sh`).
 
+* Fix bug in `scripts/verify-install.sh` that caused the [release binary
+  signature verification script to not properly import signing
+  keys](https://github.com/lightningnetwork/lnd/pull/7758) when being run with
+  new version of `gpg` (which is the case in the latest Docker image).
+
 # Contributors (Alphabetical Order)
 
 * Aljaz Ceru

scripts/verify-install.sh

@@ -66,8 +66,8 @@ function import_keys() {
     USERNAME=$(echo $key | cut -d' ' -f2)
     IMPORT_FILE="keys/$USERNAME.asc"
     KEY_FILE="$DIR/$IMPORT_FILE"
-    KEYRING_UNTRUSTED="$TEMP_DIR/$USERNAME.pgp-untrusted"
-    KEYRING_TRUSTED="$TEMP_DIR/$USERNAME.pgp"
+    KEYRING_UNTRUSTED="$USERNAME.pgp-untrusted"
+    KEYRING_TRUSTED="$USERNAME.pgp"
 
     # Because a key file could contain multiple keys, we need to be careful. To
     # make sure we only import and use the key with the hard coded key ID of
@@ -79,14 +79,14 @@ function import_keys() {
     # few lines.
     echo ""
     echo "Importing key(s) from $KEY_FILE into temporary keyring $KEYRING_UNTRUSTED"
-    gpg --no-default-keyring --keyring "$KEYRING_UNTRUSTED" \
+    gpg --homedir "$TEMP_DIR" --no-default-keyring --keyring "$KEYRING_UNTRUSTED" \
       --import < "$KEY_FILE"
 
     echo ""
     echo "Exporting key $KEY_ID from untrusted keyring to trusted keyring $KEYRING_TRUSTED"
-    gpg --no-default-keyring --keyring "$KEYRING_UNTRUSTED" \
+    gpg --homedir "$TEMP_DIR" --no-default-keyring --keyring "$KEYRING_UNTRUSTED" \
       --export "$KEY_ID" | \
-      gpg --no-default-keyring --keyring "$KEYRING_TRUSTED" --import
+      gpg --homedir "$TEMP_DIR" --no-default-keyring --keyring "$KEYRING_TRUSTED" --import
 
   done
 }
@@ -137,8 +137,8 @@ function verify_signatures() {
     USERNAME=${USERNAME##manifest-}
 
     # If the user is known, they should have a key ring file with only their key.
-    KEYRING="$TEMP_DIR/$USERNAME.pgp"
-    if [[ ! -f "$KEYRING" ]]; then
+    KEYRING="$USERNAME.pgp"
+    if [[ ! -f "$TEMP_DIR/$KEYRING" ]]; then
       echo "User $USERNAME does not have a known key, skipping"
       continue
     fi
@@ -156,7 +156,7 @@ function verify_signatures() {
     fi
 
     # Run the actual verification.
-    gpg --no-default-keyring --keyring "$KEYRING" --status-fd=1 \
+    gpg --homedir "$TEMP_DIR" --no-default-keyring --keyring "$KEYRING" --status-fd=1 \
       --verify "$TEMP_DIR/$signature" "$TEMP_DIR/$MANIFEST" \
       > "$STATUS_FILE" 2>&1 || { echo "ERROR: Invalid signature!"; exit 1; }