On 30/05/18 03:00, Eli Schwartz wrote:
Simply pass options on to gpg the same way gpg uses them -- no looping through and checking lots of signatures.
This prevents a situation where the signature file to be verified is manipulated to contain a complete signature which is valid, but not a detached signature for the file you are actually trying to verify.
gpg does not offer an option to verify many files at once by naming each signature/file pair, and there's no reason for us to do so either, since it would be quite tiresome to do so.
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- scripts/pacman-key.sh.in | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 0f1630a9..0573e92f 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -486,18 +486,19 @@ refresh_keys() { }
verify_sig() { - local ret=0 - for sig; do - msg "Checking %s..." "$sig" - if grep -q 'BEGIN PGP SIGNATURE' "$sig"; then - error "$(gettext "Cannot use armored signatures for packages: %s")" "$sig" - return 1 - fi - if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" | grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE).*$'; then - error "$(gettext "The signature identified by %s could not be verified.")" "$sig" - ret=1 - fi - done + local ret=0 sig=$1 file=$2 + if [[ -z $file ]]; then + file=${sig%.*} + fi
Opinions on if we should we do this? All pacman's infrastructure assumes detached signatures, but this is a difference from how gpg does things when only one argument is given.
+ msg "Checking %s..." "$sig" + if grep -q 'BEGIN PGP SIGNATURE' "$sig"; then + error "$(gettext "Cannot use armored signatures for packages: %s")" "$sig" + exit 1 + fi + if ! "${GPG_PACMAN[@]}" --status-fd 1 --verify "$sig" "$file" | grep -qE '^\[GNUPG:\] TRUST_(FULLY|ULTIMATE).*$'; then + error "$(gettext "The signature identified by %s could not be verified.")" "$sig" + ret=1 + fi exit $ret }