On 06/07/11 21:02, Wieland Hoffmann wrote:
Many projects provide signature files along with the source code archives. It's good to check these, too, when verifying the integrity of source code archives. Not everybody is using gpg so the verification can be disabled with --skippgpcheck. Additionally, only a warning is displayed when the key that signed the source file is unknown. ---
Signed-off-by: Allan Applied to my working branch with the minor changes mentioned below. <snip>
+check_pgpsigs() { + (( SKIPPGPCHECK ))&& return 0 + (( ! ${#source[@]} ))&& return 0 + [[ ! source_has_signatures ]]&& return 0
The ${#source[@]} size check is not needed given it is covered by the source_has_signatures anyway. <snip>
+ + if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then + if grep "NO_PUBKEY" "$statusfile"> /dev/null; then + echo "$(gettext "Warning: Unknown public key") $(awk '/NO_PUBKEY/ {print $3}' $statusfile)">&2 + warnings=1 + else + echo "$(gettext "FAILED")">&2 + errors=1 + fi + else + if grep "REVKEYSIG" "$statusfile"> /dev/null; then + errors=1 + echo "$(gettext "Passed")" "-" "$(gettext "Warning: the key has been revoked.")">&2
Just a style consistency change to have the message above the errors=1. Allan