Allan McRae pushed to branch master at Pacman / Pacman

Commits:

• 3aa096a7
  by David Runge at 2024-02-04T10:06:40+01:00

  makepkg: Emit early error if signature verification fails
  
  Emit an early error message if tag or commit verification with git or
  detached signature verification with gpg fails.
  Make `verify_file_signature()` and `verify_git_signature()` return
  non-zero in this case and set errors to `1`, so that later checks
  in `check_pgpsigs()`, although still run, can not lead to a positive
  result.
  
  Signed-off-by: David Runge <dvzrv@archlinux.org>
  

• 86ec26b2
  by David Runge at 2024-02-04T10:06:42+01:00

  makepkg: Improve robustness of signature verification by limiting terms
  
  The output of
  `gpg --quiet --batch --status-fd /dev/stdout --verify <signature_file> <file> 2> /dev/null`
  or
  `git verify-commit --raw <commit> 2>&1`
  may contain binary data, if the signature has been created with an
  OpenPGP implementation, that e.g. makes use of notations.
  If the notation string (see `NOTATION_DATA` in /usr/share/doc/gnupg/
  DETAILS) contains a trailing binary char, this will break signature
  verification, as any following entry (e.g. `VALIDSIG`) will be offset.
  
  As we are only making use of a narrow set of terms from the statusfile
  (namely `NEWSIG`, `GOODSIG`, `EXPSIG`, `EXPKEYSIG`, `REVKEYSIG`,
  `BADSIG`, `ERRSIG`, `VALIDSIG`, `TRUST_UNDEFINED`, `TRUST_NEVER`,
  `TRUST_MARGINAL`, `TRUST_FULLY`, `TRUST_ULTIMATE`), we are applying a
  filter, so that only understood terms are written to the file.
  
  Signed-off-by: David Runge <dvzrv@archlinux.org>
  

• 16a06470
  by David Runge at 2024-02-04T10:06:42+01:00

  makepkg: Move check for signature metadata to central location
  
  Move the check for the `NEWSIG` metadata keyword contained in the
  GnuPG based statusfile to `parse_gpg_statusfile()` so that it is also
  run when creating the statusfile in `verify_file_signature()` and not
  only when running `verify_git_signature()`.
  
  Signed-off-by: David Runge <dvzrv@archlinux.org>
  

• f8c2e59e
  by David Runge at 2024-02-04T10:06:43+01:00

  pacman-key: Make signature verification more robust by checking pipes
  
  To ensure we are not dropping the return code of the `gpg` call due to
  piping into `grep`, we make use of `PIPESTATUS` to check the return code
  of each command separately.
  
  Additionally, we can now distinguish between two states: The signature
  does not verify (e.g. due to technical reasons) and the signature is
  not trusted.
  
  Signed-off-by: David Runge <dvzrv@archlinux.org>
  

2 changed files:

• scripts/libmakepkg/integrity/verify_signature.sh.in
• scripts/pacman-key.sh.in