Yell louder about known bad signing keys

Implement a blocklist, keyid_blocklist. If a keyid (without leading 0x)
in this file matches the signing key for a release, terminate autospec
with an error.

This is intended as a mechanism to block building releases signed with a
known compromised key.

autospec/config.py

@@ -121,6 +121,7 @@ class Config(object):
         self.failed_commands = {}
         self.ignored_commands = {}
         self.gems = {}
+        self.keyid_blocklist = {}
         self.license_hashes = {}
         self.license_translations = {}
         self.license_blacklist = {}
@@ -603,6 +604,7 @@ class Config(object):
         read_pattern_conf("license_blacklist", self.license_blacklist, list_format=True, path=path)
         read_pattern_conf("qt_modules", self.qt_modules, path=path)
         read_pattern_conf("cmake_modules", self.cmake_modules, path=path)
+        read_pattern_conf("keyid_blocklist", self.keyid_blocklist, list_format=True, path=path)
 
     def parse_existing_spec(self, name):
         """Determine the old version, old patch list, old keyid, and cves from old spec file."""

autospec/keyid_blocklist

@@ -0,0 +1 @@
+59FCF207FEA7F445

autospec/pkg_integrity.py

@@ -483,6 +483,10 @@ class GPGVerifier(Verifier):
             return None
         # valid signature exists at package_sign_path, operate on it now
         keyid = get_keyid(self.package_sign_path)
+        if keyid in self.config.keyid_blocklist:
+            self.print_result(False, err_msg='KNOWNBADACTOR: {}'.format(keyid))
+            self.quit()
+
         # default location first
         pubkey_loc = self.pubkey_path.format(keyid)
         cache_key = os.path.join(KEY_CACHE_DIR, pubkey_loc)