add / remove gpg keys to / from system keychain

app/models/gpg_key.rb

@@ -19,6 +19,8 @@ class GpgKey < ActiveRecord::Base
     unless: -> { errors.has_key?(:key) }
 
   before_validation :extract_fingerprint
+  after_create :add_to_keychain
+  after_destroy :remove_from_keychain
 
   def key=(value)
     value.strip! unless value.blank?
@@ -37,4 +39,12 @@ class GpgKey < ActiveRecord::Base
     # only allows one key
     self.fingerprint = Gitlab::Gpg.fingerprints_from_key(key).first
   end
+
+  def add_to_keychain
+    Gitlab::Gpg.add_to_keychain(key)
+  end
+
+  def remove_from_keychain
+    Gitlab::Gpg.remove_from_keychain(fingerprint)
+  end
 end

lib/gitlab/gpg.rb

@@ -12,6 +12,14 @@ module Gitlab
       end
     end
 
+    def add_to_keychain(key)
+      GPGME::Key.import(key)
+    end
+
+    def remove_from_keychain(fingerprint)
+      GPGME::Key.get(fingerprint).delete!
+    end
+
     def using_tmp_keychain
       Dir.mktmpdir do |dir|
         @original_dirs ||= [GPGME::Engine.dirinfo('homedir')]

spec/lib/gitlab/gpg_spec.rb

@@ -15,6 +15,24 @@ describe Gitlab::Gpg do
     end
   end
 
-  describe '.add_to_keychain' do
+  describe '.add_to_keychain', :gpg do
+    it 'stores the key in the keychain' do
+      expect(GPGME::Key.find(:public, '4F4840A503964251CF7D7F5DC728AF10972E97C0')).to eq []
+
+      Gitlab::Gpg.add_to_keychain(GpgHelpers.public_key)
+
+      expect(GPGME::Key.find(:public, '4F4840A503964251CF7D7F5DC728AF10972E97C0')).not_to eq []
+    end
+  end
+
+  describe '.remove_from_keychain', :gpg do
+    it 'removes the key from the keychain' do
+      Gitlab::Gpg.add_to_keychain(GpgHelpers.public_key)
+      expect(GPGME::Key.find(:public, '4F4840A503964251CF7D7F5DC728AF10972E97C0')).not_to eq []
+
+      Gitlab::Gpg.remove_from_keychain('4F4840A503964251CF7D7F5DC728AF10972E97C0')
+
+      expect(GPGME::Key.find(:public, '4F4840A503964251CF7D7F5DC728AF10972E97C0')).to eq []
+    end
   end
 end

spec/models/gpg_key_spec.rb

@@ -13,14 +13,32 @@ describe GpgKey do
     it { is_expected.not_to allow_value('BEGIN PGP').for(:key) }
   end
 
-  context 'callbacks' do
+  context 'callbacks', :gpg do
     describe 'extract_fingerprint' do
-      it 'extracts the fingerprint from the gpg key', :gpg do
+      it 'extracts the fingerprint from the gpg key' do
         gpg_key = described_class.new(key: GpgHelpers.public_key)
         gpg_key.valid?
         expect(gpg_key.fingerprint).to eq '4F4840A503964251CF7D7F5DC728AF10972E97C0'
       end
     end
+
+    describe 'add_to_keychain' do
+      it 'calls add_to_keychain after create' do
+        expect(Gitlab::Gpg).to receive(:add_to_keychain).with(GpgHelpers.public_key)
+        create :gpg_key
+      end
+    end
+
+    describe 'remove_from_keychain' do
+      it 'calls remove_from_keychain after destroy' do
+        allow(Gitlab::Gpg).to receive :add_to_keychain
+        gpg_key = create :gpg_key
+
+        expect(Gitlab::Gpg).to receive(:remove_from_keychain).with('4F4840A503964251CF7D7F5DC728AF10972E97C0')
+
+        gpg_key.destroy!
+      end
+    end
   end
 
   describe '#key=' do
@@ -37,7 +55,7 @@ describe GpgKey do
     end
   end
 
-  describe '#emails' do
+  describe '#emails', :gpg do
     it 'returns the emails from the gpg key' do
       gpg_key = create :gpg_key
 

spec/support/gpg_helpers.rb

@@ -29,7 +29,7 @@ module GpgHelpers
   end
 
   def public_key
-    <<~PUBLICKEY
+    <<~PUBLICKEY.strip
       -----BEGIN PGP PUBLIC KEY BLOCK-----
       Version: GnuPG v1