Fix gpg.verify with python-gnupg >= 0.5.1

salt/modules/gpg.py

@@ -29,9 +29,17 @@
 
 log = logging.getLogger(__name__)
 
-# Define the module's virtual name
+try:
+    import gnupg
+
+    HAS_GPG_BINDINGS = True
+except ImportError:
+    HAS_GPG_BINDINGS = False
+
+
 __virtualname__ = "gpg"
 
+# Map of letters indicating key validity to pretty string (for display)
 LETTER_TRUST_DICT = immutabletypes.freeze(
     {
         "e": "Expired",
@@ -45,6 +53,22 @@
     }
 )
 
+
+# Map of allowed `trust_level` param values in `trust_key`
+# to trust parameter for python-gnupg trust_keys (to manage owner trust)
+TRUST_KEYS_TRUST_LEVELS = immutabletypes.freeze(
+    {
+        "expired": "TRUST_EXPIRED",
+        "unknown": "TRUST_UNDEFINED",
+        "not_trusted": "TRUST_NEVER",
+        "marginally": "TRUST_MARGINAL",
+        "fully": "TRUST_FULLY",
+        "ultimately": "TRUST_ULTIMATE",
+    }
+)
+
+# Map of allowed `trust_level` param values in `trust_key`
+# to owner trust numeric values
 NUM_TRUST_DICT = immutabletypes.freeze(
     {
         "expired": "1",
@@ -56,6 +80,7 @@
     }
 )
 
+# Map of owner trust numeric values to pretty string (for display)
 INV_NUM_TRUST_DICT = immutabletypes.freeze(
     {
         "1": "Expired",
@@ -67,36 +92,33 @@
     }
 )
 
-VERIFY_TRUST_LEVELS = immutabletypes.freeze(
-    {
-        "0": "Undefined",
-        "1": "Never",
-        "2": "Marginal",
-        "3": "Fully",
-        "4": "Ultimate",
-    }
-)
-
-TRUST_KEYS_TRUST_LEVELS = immutabletypes.freeze(
-    {
-        "expired": "TRUST_EXPIRED",
-        "unknown": "TRUST_UNDEFINED",
-        "never": "TRUST_NEVER",
-        "marginally": "TRUST_MARGINAL",
-        "fully": "TRUST_FULLY",
-        "ultimately": "TRUST_ULTIMATE",
-    }
-)
+# Map of signature validity numeric values to pretty string (for display)
+if not HAS_GPG_BINDINGS:
+    VERIFY_TRUST_LEVELS = {}
+elif salt.utils.versions.version_cmp(gnupg.__version__, "0.5.1") >= 0:
+    VERIFY_TRUST_LEVELS = immutabletypes.freeze(
+        {
+            "0": "Expired",
+            "1": "Undefined",
+            "2": "Never",
+            "3": "Marginal",
+            "4": "Fully",
+            "5": "Ultimate",
+        }
+    )
+else:
+    VERIFY_TRUST_LEVELS = immutabletypes.freeze(
+        {
+            "0": "Undefined",
+            "1": "Never",
+            "2": "Marginal",
+            "3": "Fully",
+            "4": "Ultimate",
+        }
+    )
 
 _DEFAULT_KEY_SERVER = "keys.openpgp.org"
 
-try:
-    import gnupg
-
-    HAS_GPG_BINDINGS = True
-except ImportError:
-    HAS_GPG_BINDINGS = False
-
 
 def _gpg():
     """

tests/pytests/functional/modules/test_gpg.py

@@ -794,6 +794,29 @@ def test_verify_with_keyring(gpghome, gnupg, gpg, keyring, sig, signed_data, key
     assert res["key_id"] == key_a_fp[-16:]
 
 
+@pytest.mark.usefixtures("_pubkeys_present")
+# Can't easily test the other signature validity levels since
+# we would need to sign the pubkey ourselves, which is not
+# exposed by python-gnupg as of release 0.5.2.
+@pytest.mark.parametrize(
+    "ownertrust,text", (("TRUST_NEVER", "Undefined"), ("TRUST_ULTIMATE", "Ultimate"))
+)
+def test_verify_trust_levels(
+    gpghome, gpg, gnupg, key_a_fp, sig, signed_data, ownertrust, text
+):
+    gnupg.trust_keys(key_a_fp, ownertrust)
+    res = gpg.verify(
+        filename=str(signed_data),
+        signature=sig,
+        gnupghome=str(gpghome),
+    )
+    assert res["res"] is True
+    assert "is verified" in res["message"]
+    assert "key_id" in res
+    assert res["key_id"] == key_a_fp[-16:]
+    assert res["trust_level"] == text
+
+
 @pytest.mark.usefixtures("_pubkeys_present")
 @pytest.mark.requires_random_entropy
 def test_encrypt(gpghome, gpg, gnupg, key_b_fp):