We cannot rely on gpg's exit code. Instead we have to check the status-fd to figure out whether a signature is valid or not. In addition to this pacman-key --verify can now be used in scripts as it will return an exit code of 1 if the signature is invalid. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- scripts/pacman-key.sh.in | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in index b4bad1d..081a10a 100644 --- a/scripts/pacman-key.sh.in +++ b/scripts/pacman-key.sh.in @@ -436,10 +436,14 @@ refresh_keys() { } verify_sig() { - if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then + local fd="$(mktemp)" + "${GPG_PACMAN[@]}" --status-file "${fd}" --verify $SIGNATURE + if ! grep -q TRUST_FULLY "${fd}"; then + rm -f "${fd}" error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE" exit 1 fi + rm -f "${fd}" } updatedb() { -- 1.7.9.5