From b82a97bd7606d99f89136151bedc56340d88575f Mon Sep 17 00:00:00 2001
From: Bertrand Jacquin <bertrand@jacquin.bzh>
Date: Sat, 10 Jan 2026 11:21:30 +0000
Subject: [PATCH] openpgp: always update information about the Web of Trust

gemato can fail if /etc/gnupg/gpg.conf contains no-auto-check-trustdb
while gemato needs --check-trustdb:

  $ gemato openpgp-verify-detached -K /usr/share/openpgp-keys/chetramey.asc -R --no-require-all-good /var/tmp/portage/sys-libs/readline-8.3_p3/distdir/readline-8.3.tar.gz.sig /var/tmp/portage/sys-libs/readline-8.3_p3/distdir/readline-8.3.tar.gz
  ERROR    OpenPGP verification failed for <_io.BufferedReader name='/var/tmp/portage/sys-libs/readline-8.3_p3/distdir/readline-8.3.tar.gz'> (sig in /var/tmp/portage/sys-libs/readline-8.3_p3/distdir/readline-8.3.tar.gz.sig):
           Good OpenPGP signature made using untrusted key:
           gpg: Warning: using insecure memory!
           gpg: Signature made Wed Jul  2 13:17:41 2025 UTC
           gpg:                using DSA key 7C0135FB088AAF6C66C650B9BB5869F064EA74AB
           gpg: please do a --check-trustdb
           gpg: Good signature from "Chet Ramey <chet@cwru.edu>" [unknown]
           gpg: WARNING: This key is not certified with a trusted signature!
           gpg:          There is no indication that the signature belongs to the owner.
           Primary key fingerprint: 7C01 35FB 088A AF6C 66C6  50B9 BB58 69F0 64EA 74AB

This commit circumvent the issue by forcing
--auto-check-trustdb which takes precedence over configuration file.

Closes: https://bugs.gentoo.org/968583
Signed-off-by: Bertrand Jacquin <bertrand@jacquin.bzh>
---
 gemato/openpgp.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gemato/openpgp.py b/gemato/openpgp.py
index 1d2823a..8c2647e 100644
--- a/gemato/openpgp.py
+++ b/gemato/openpgp.py
@@ -374,7 +374,8 @@ def verify_file(self,
         """
 
         exitst, out, err = self._spawn_gpg(
-            [GNUPG, '--batch', '--status-fd', '1', '--verify'],
+            [GNUPG, '--batch', '--auto-check-trustdb',
+             '--status-fd', '1', '--verify'],
             f.read().encode('utf8'))
         return self._process_gpg_verify_output(out, err, require_all_good)
 
@@ -398,7 +399,8 @@ def verify_detached(self,
         """
 
         _, out, err = self._spawn_gpg(
-            [GNUPG, "--batch", "--status-fd", "1", "--verify",
+            [GNUPG, "--batch", "--auto-check-trustdb",
+             "--status-fd", "1", "--verify",
              str(signature_file), "-"],
             stdin_file=data_file)
         return self._process_gpg_verify_output(out, err, require_all_good)