Allan McRae pushed to branch master at Pacman / Pacman Commits: 3aa096a7 by David Runge at 2024-02-04T10:06:40+01:00 makepkg: Emit early error if signature verification fails Emit an early error message if tag or commit verification with git or detached signature verification with gpg fails. Make `verify_file_signature()` and `verify_git_signature()` return non-zero in this case and set errors to `1`, so that later checks in `check_pgpsigs()`, although still run, can not lead to a positive result. Signed-off-by: David Runge <dvzrv@archlinux.org> - - - - - 86ec26b2 by David Runge at 2024-02-04T10:06:42+01:00 makepkg: Improve robustness of signature verification by limiting terms The output of `gpg --quiet --batch --status-fd /dev/stdout --verify <signature_file> <file> 2> /dev/null` or `git verify-commit --raw <commit> 2>&1` may contain binary data, if the signature has been created with an OpenPGP implementation, that e.g. makes use of notations. If the notation string (see `NOTATION_DATA` in /usr/share/doc/gnupg/ DETAILS) contains a trailing binary char, this will break signature verification, as any following entry (e.g. `VALIDSIG`) will be offset. As we are only making use of a narrow set of terms from the statusfile (namely `NEWSIG`, `GOODSIG`, `EXPSIG`, `EXPKEYSIG`, `REVKEYSIG`, `BADSIG`, `ERRSIG`, `VALIDSIG`, `TRUST_UNDEFINED`, `TRUST_NEVER`, `TRUST_MARGINAL`, `TRUST_FULLY`, `TRUST_ULTIMATE`), we are applying a filter, so that only understood terms are written to the file. Signed-off-by: David Runge <dvzrv@archlinux.org> - - - - - 16a06470 by David Runge at 2024-02-04T10:06:42+01:00 makepkg: Move check for signature metadata to central location Move the check for the `NEWSIG` metadata keyword contained in the GnuPG based statusfile to `parse_gpg_statusfile()` so that it is also run when creating the statusfile in `verify_file_signature()` and not only when running `verify_git_signature()`. Signed-off-by: David Runge <dvzrv@archlinux.org> - - - - - f8c2e59e by David Runge at 2024-02-04T10:06:43+01:00 pacman-key: Make signature verification more robust by checking pipes To ensure we are not dropping the return code of the `gpg` call due to piping into `grep`, we make use of `PIPESTATUS` to check the return code of each command separately. Additionally, we can now distinguish between two states: The signature does not verify (e.g. due to technical reasons) and the signature is not trusted. Signed-off-by: David Runge <dvzrv@archlinux.org> - - - - - 2 changed files: - scripts/libmakepkg/integrity/verify_signature.sh.in - scripts/pacman-key.sh.in View it on GitLab: https://gitlab.archlinux.org/pacman/pacman/-/compare/bf76b5e89f95ff02191cfc3... -- View it on GitLab: https://gitlab.archlinux.org/pacman/pacman/-/compare/bf76b5e89f95ff02191cfc3... You're receiving this email because of your account on gitlab.archlinux.org.