1 files changed, 59 insertions, 10 deletions

diff --git a/build-aux/announce-gen b/build-aux/announce-gen
index f3b5461ae..3847a568d 100755
--- a/build-aux/announce-gen
+++ b/build-aux/announce-gen
@@ -3,7 +3,7 @@
 
 # Generate a release announcement message.
 
-# Copyright (C) 2002-2021 Free Software Foundation, Inc.
+# Copyright (C) 2002-2022 Free Software Foundation, Inc.
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -35,13 +35,13 @@
 eval 'exec perl -wSx "$0" "$@"'
      if 0;
 
-my $VERSION = '2021-08-04 09:17'; # UTC
+my $VERSION = '2022-07-10 01:47'; # UTC
 # The definition above must lie within the first 8 lines in order
 # for the Emacs time-stamp write hook (at end) to update it.
 # If you change this file with Emacs, please let the write hook
 # do its job.  Otherwise, update this string manually.
 
-my $copyright_year = '2021';
+my $copyright_year = '2022';
 
 use strict;
 use Getopt::Long;
@@ -90,6 +90,10 @@ The following are optional:
                                 VERSION is the result of running git describe
                                 in the gnulib source directory.
                                 required if gnulib is in TOOL_LIST.
+   --gpg-key-email=EMAIL        The email address of the key used to
+                                sign the tarballs
+   --gpg-keyring-url=URL        URL pointing to keyring containing the key used
+                                to sign the tarballs
    --no-print-checksums         do not emit SHA1 or SHA256 checksums
    --archive-suffix=SUF         add SUF to the list of archive suffixes
    --mail-headers=HEADERS       a space-separated list of mail headers, e.g.,
@@ -377,6 +381,8 @@ sub get_tool_versions ($$)
   my $bootstrap_tools;
   my $gnulib_version;
   my $print_checksums_p = 1;
+  my $gpg_key_email;
+  my $gpg_keyring_url;
 
   # Reformat the warnings before displaying them.
   local $SIG{__WARN__} = sub
@@ -395,6 +401,8 @@ sub get_tool_versions ($$)
      'previous-version=s' => \$prev_version,
      'current-version=s'  => \$curr_version,
      'gpg-key-id=s'       => \$gpg_key_id,
+     'gpg-key-email=s'    => \$gpg_key_email,
+     'gpg-keyring-url=s'  => \$gpg_keyring_url,
      'url-directory=s'    => \@url_dir_list,
      'news=s'             => \@news_file,
      'srcdir=s'           => \$srcdir,
@@ -437,11 +445,15 @@ sub get_tool_versions ($$)
   my @tool_list = split ',', $bootstrap_tools
     if $bootstrap_tools;
 
-  grep (/^gnulib$/, @tool_list) ^ defined $gnulib_version
+  grep (/^gnulib$/, @tool_list) && ! defined $gnulib_version
     and (warn "when specifying gnulib as a tool, you must also specify\n"
         . "--gnulib-version=V, where V is the result of running git describe\n"
         . "in the gnulib source directory.\n"), $fail = 1;
 
+  ! grep (/^gnulib$/, @tool_list) && defined $gnulib_version
+    and (warn "with --gnulib-version=V you must use --bootstrap-tools=...\n"
+         . "including gnulib in that list"), $fail = 1;
+
   !$release_type || exists $valid_release_types{$release_type}
     or (warn "'$release_type': invalid release type\n"), $fail = 1;
 
@@ -490,7 +502,7 @@ EOF
     {
       # When there's only one tarball and one URL, use a more concise form.
       my $m = "$url_dir_list[0]/$tarballs[0]";
-      print "Here are the compressed sources and a GPG detached signature[*]:\n"
+      print "Here are the compressed sources and a GPG detached signature:\n"
         . "  $m\n"
         . "  $m.sig\n\n";
     }
@@ -502,7 +514,7 @@ EOF
                              . "please tell bug-gnulib\@gnu.org)",
                              @url_dir_list, %size, $xd);
       my @sig_files = map { "$_.sig" } @tarballs;
-      print_locations ("GPG detached signatures[*]", @url_dir_list, %size,
+      print_locations ("GPG detached signatures", @url_dir_list, %size,
                        @sig_files);
     }
 
@@ -527,18 +539,55 @@ EOF
     and print_checksums (@sizable);
 
   print <<EOF;
-[*] Use a .sig file to verify that the corresponding file (without the
+Use a .sig file to verify that the corresponding file (without the
 .sig suffix) is intact.  First, be sure to download both the .sig file
 and the corresponding tarball.  Then, run a command like this:
 
   gpg --verify $tarballs[0].sig
 
+EOF
+  my $gpg_fingerprint = `LC_ALL=C gpg --fingerprint $gpg_key_id | grep -v ^sub`;
+  if ($gpg_fingerprint =~ /^pub/)
+    {
+      chop $gpg_fingerprint;
+      $gpg_fingerprint =~ s/ \[expires:.*//mg;
+      $gpg_fingerprint =~ s/^uid           \[ultimate\]/uid  /mg;
+      $gpg_fingerprint =~ s/^/  /mg;
+      print<<EOF
+The signature should match the fingerprint of the following key:
+
+$gpg_fingerprint
+EOF
+    }
+  print <<EOF;
 If that command fails because you don't have the required public key,
-then run this command to import it:
+or that public key has expired, try the following commands to retrieve
+or refresh it, and then rerun the 'gpg --verify' command.
+EOF
+  if ($gpg_key_email) {
+    print <<EOF;
+
+  gpg --locate-external-key $gpg_key_email
+EOF
+    }
+  print <<EOF;
+
+  gpg --recv-keys $gpg_key_id
+EOF
+    if ($gpg_keyring_url) {
+      print <<EOF;
+
+  wget -q -O- '$gpg_keyring_url' | gpg --import -
+EOF
+      }
+  print <<EOF;
+
+As a last resort to find the key, you can try the official GNU
+keyring:
 
-  gpg --keyserver keys.gnupg.net --recv-keys $gpg_key_id
+  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
+  gpg --keyring gnu-keyring.gpg --verify $tarballs[0].sig
 
-and rerun the 'gpg --verify' command.
 EOF
 
   my @tool_versions = get_tool_versions (\@tool_list, $gnulib_version);