On 25/03/12 22:10, Pierre Schmitz wrote:
We cannot rely on gpg's exit code. Instead we have to check the status-fd to figoure out whether a signature is valid or not.
typo ^
In addition to this pacman-key --verify can now be used in scripts as it will return an exit code of 1 if the signature is invalid.
Signed-off-by: Pierre Schmitz pierre@archlinux.de
scripts/pacman-key.sh.in | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index 4c02d7d..c5ecca5 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -436,10 +436,16 @@ refresh_keys() { }
verify_sig() {
- if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then
- local fd="$(mktemp)"
- exec 4>"${fd}"
- "${GPG_PACMAN[@]}" --status-fd 4 --verify $SIGNATURE
I think it would be safer to use --status-file here. We do that when verifying signatures in makepkg.
- exec 4>&-
- if ! grep -q TRUST_FULLY "${fd}"; then
rm -f "${fd}"- rm -f "${fd}"
}
updatedb() {