From 8c9f4515b6583c35f56cdafb05241cc3b29600e9 Mon Sep 17 00:00:00 2001
From: Oliver Gugger <gugger@gmail.com>
Date: Mon, 12 Jun 2023 09:31:26 +0200
Subject: [PATCH] scripts: use gpg --homedir flag to fix new behavior in 2.4

With the latest Golang Docker base image we are using the new gpg
version 2.4 is now being installed in the lnd Docker base image.

Apparently the expected value for the --keyring flag is just a file name
and not an absolute path. The path of the file is indicated either by
the $HOME environment variable or the --homedir flag. It looks like 2.4
now finally stopped supporting an absolute path in the --keyring flag
and we need to update our gpg command to make the script work again.

This should be backward compatible and still work on older versions of
gpg.
---
 scripts/verify-install.sh | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/scripts/verify-install.sh b/scripts/verify-install.sh
index ad7274841..f133c2758 100755
--- a/scripts/verify-install.sh
+++ b/scripts/verify-install.sh
@@ -66,8 +66,8 @@ function import_keys() {
     USERNAME=$(echo $key | cut -d' ' -f2)
     IMPORT_FILE="keys/$USERNAME.asc"
     KEY_FILE="$DIR/$IMPORT_FILE"
-    KEYRING_UNTRUSTED="$TEMP_DIR/$USERNAME.pgp-untrusted"
-    KEYRING_TRUSTED="$TEMP_DIR/$USERNAME.pgp"
+    KEYRING_UNTRUSTED="$USERNAME.pgp-untrusted"
+    KEYRING_TRUSTED="$USERNAME.pgp"
 
     # Because a key file could contain multiple keys, we need to be careful. To
     # make sure we only import and use the key with the hard coded key ID of
@@ -79,14 +79,14 @@ function import_keys() {
     # few lines.
     echo ""
     echo "Importing key(s) from $KEY_FILE into temporary keyring $KEYRING_UNTRUSTED"
-    gpg --no-default-keyring --keyring "$KEYRING_UNTRUSTED" \
+    gpg --homedir "$TEMP_DIR" --no-default-keyring --keyring "$KEYRING_UNTRUSTED" \
       --import < "$KEY_FILE"
 
     echo ""
     echo "Exporting key $KEY_ID from untrusted keyring to trusted keyring $KEYRING_TRUSTED"
-    gpg --no-default-keyring --keyring "$KEYRING_UNTRUSTED" \
+    gpg --homedir "$TEMP_DIR" --no-default-keyring --keyring "$KEYRING_UNTRUSTED" \
       --export "$KEY_ID" | \
-      gpg --no-default-keyring --keyring "$KEYRING_TRUSTED" --import
+      gpg --homedir "$TEMP_DIR" --no-default-keyring --keyring "$KEYRING_TRUSTED" --import
 
   done
 }
@@ -137,8 +137,8 @@ function verify_signatures() {
     USERNAME=${USERNAME##manifest-}
 
     # If the user is known, they should have a key ring file with only their key.
-    KEYRING="$TEMP_DIR/$USERNAME.pgp"
-    if [[ ! -f "$KEYRING" ]]; then
+    KEYRING="$USERNAME.pgp"
+    if [[ ! -f "$TEMP_DIR/$KEYRING" ]]; then
       echo "User $USERNAME does not have a known key, skipping"
       continue
     fi
@@ -156,7 +156,7 @@ function verify_signatures() {
     fi
 
     # Run the actual verification.
-    gpg --no-default-keyring --keyring "$KEYRING" --status-fd=1 \
+    gpg --homedir "$TEMP_DIR" --no-default-keyring --keyring "$KEYRING" --status-fd=1 \
       --verify "$TEMP_DIR/$signature" "$TEMP_DIR/$MANIFEST" \
       > "$STATUS_FILE" 2>&1 || { echo "ERROR: Invalid signature!"; exit 1; }