script/*: fix gpg usage wrt keyboxd

I used script/keyring_validate.sh, which gave me this error:

> [*] User cyphar in runc.keyring is not a maintainer!

Apparently, when gnupg 2.4.1+ sees a fresh install (i.e. no ~/.gnupg
directory), it configures itself to use keyboxd instead of keyring
files, and when just silently ignores options like --keyring and
--no-default-keyring, working with keyboxd all the time.

The only way I found to make it not use keyboxd is to set --homedir.
Let's do that when we explicitly want a separate keyring.

Similar change is made to script/release_key.sh.

Also, change "--import --import-options=show-only" to "--show-keys"
which is a shortcut. When using this, there is no need to protect
the default keyring since this command does not read or modify it.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>

script/keyring_validate.sh

@@ -31,6 +31,9 @@ function bail() {
 # Temporary GPG keyring for messing around with.
 tmp_gpgdir="$(mktemp -d --tmpdir "$project-validate-tmpkeyring.XXXXXX")"
 trap 'rm -r "$tmp_gpgdir"' EXIT
+function gpg_user() {
+	gpg --homedir="$tmp_gpgdir" --no-default-keyring --keyring="$username.keyring" "$@"
+}
 
 # Get the set of MAINTAINERS.
 readarray -t maintainers < <(sed -E 's|.* <.*> \(@?(.*)\)$|\1|' <"$root/MAINTAINERS")
@@ -41,8 +44,7 @@ echo "------------------------------------------------------------"
 
 # Create a dummy gpg keyring from the set of MAINTAINERS.
 while IFS="" read -r username || [ -n "$username" ]; do
-	curl -sSL "https://github.com/$username.gpg" |
-		gpg --no-default-keyring --keyring="$tmp_gpgdir/$username.keyring" --import
+	curl -sSL "https://github.com/$username.gpg" | gpg_user --import
 done < <(printf '%s\n' "${maintainers[@]}")
 
 # Make sure all of the keys in the keyring have a github=... comment.
@@ -65,8 +67,7 @@ echo "------------------------------------------------------------"
 echo "$project release managers:"
 sed -En "s|^Comment:.* github=(\w+).*| * \1|p" <"$root/$project.keyring" | sort -u
 echo "------------------------------------------------------------"
-gpg --no-default-keyring --keyring="$tmp_gpgdir/keyring" \
-	--import --import-options=show-only <"$root/$project.keyring"
+gpg --show-keys <"$root/$project.keyring"
 echo "------------------------------------------------------------"
 
 # Check that each entry in the kering is actually a maintainer's key.
@@ -94,12 +95,10 @@ while IFS="" read -d $'\0' -r block || [ -n "$block" ]; do
 	# fingerprint. See <https://github.com/gpg/gnupg/blob/master/doc/DETAILS>
 	# for more details.
 	while IFS="" read -r key || [ -n "$key" ]; do
-		gpg --no-default-keyring --keyring="$tmp_gpgdir/$username.keyring" \
-			--list-keys --with-colons | grep "$fprfield:::::::::$key:" >/dev/null ||
+		gpg_user --list-keys --with-colons | grep "$fprfield:::::::::$key:" >/dev/null ||
 			bail "(Sub?)Key $key in $project.keyring is NOT actually one of $username's keys!"
 		log "Successfully verified $username's (sub?)key $key is legitimate."
-	done < <(gpg --no-default-keyring \
-		--import --import-options=show-only --with-colons <<<"$block" |
+	done < <(gpg --show-keys --with-colons <<<"$block" |
 		grep "^$fprfield:" | cut -d: -f10)
 done < <(awk <"$root/$project.keyring" '
 	/^-----BEGIN PGP PUBLIC KEY BLOCK-----$/ { in_block=1 }

script/release_sign.sh

@@ -105,10 +105,10 @@ set -x
 tmp_gpgdir="$(mktemp -d --tmpdir "$project-sign-tmpkeyring.XXXXXX")"
 trap 'rm -r "$tmp_gpgdir"' EXIT
 
-tmp_runc_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/$project.keyring")
+tmp_runc_gpgflags=("--homedir=$tmp_gpgdir" "--no-default-keyring" "--keyring=$project.keyring")
 gpg "${tmp_runc_gpgflags[@]}" --import <"$root/$project.keyring"
 
-tmp_seccomp_gpgflags=("--no-default-keyring" "--keyring=$tmp_gpgdir/seccomp.keyring")
+tmp_seccomp_gpgflags=("--homedir=$tmp_gpgdir" "--no-default-keyring" "--keyring=seccomp.keyring")
 gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x47A68FCE37C7D7024FD65E11356CE62C2B524099
 gpg "${tmp_seccomp_gpgflags[@]}" --recv-keys 0x7100AADFAE6E6E940D2E0AD655E45A5AE8CA7C8A