If acceptkeys is set in the PKGBUILD, signature checking fails if the fingerprint of the key used to create the signature is not listed in the array. Failure to verify the signature due to a missing public key is also treated as an error instead of a warning. --- scripts/makepkg.sh.in | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index e230c15..40c5b48 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1250,7 +1250,7 @@ check_pgpsigs() { msg "$(gettext "Verifying source file signatures with %s...")" "gpg" - local file pubkey ext decompress found + local file pubkey ext decompress found success local warning=0 local errors=0 local statusfile=$(mktemp) @@ -1296,7 +1296,11 @@ check_pgpsigs() { printf '%s' "$(gettext "FAILED")" >&2 if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2 - warnings=1 + if (( ${#acceptkeys[@]} > 0 )); then + errors=1 + else + warnings=1 + fi else errors=1 fi @@ -1306,13 +1310,25 @@ check_pgpsigs() { printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key has been revoked.")" >&2 errors=1 else - printf '%s' "$(gettext "Passed")" >&2 - if grep -q "EXPSIG" "$statusfile"; then - printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2 - warnings=1 - elif grep -q "EXPKEYSIG" "$statusfile"; then - printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2 - warnings=1 + success=1 + if (( ${#acceptkeys[@]} > 0 )); then + pubkey=$(grep VALIDSIG "$statusfile" | sed -nr 's/.* VALIDSIG ([A-Z0-9]*) .*/\1/p;' | awk '{print tolower($0)}') + if ! in_array $pubkey ${acceptkeys[@]}; then + printf '%s' "$(gettext "FAILED")" >&2 + printf " ($(gettext 'the fingerprint %s is not accepted.'))" "$pubkey" >&2 + success=0 + errors=1 + fi + fi + if (( $success )); then + printf '%s' "$(gettext "Passed")" >&2 + if grep -q "EXPSIG" "$statusfile"; then + printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2 + warnings=1 + elif grep -q "EXPKEYSIG" "$statusfile"; then + printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2 + warnings=1 + fi fi fi printf '\n' >&2 @@ -2809,7 +2825,7 @@ fi unset pkgname pkgbase pkgver pkgrel epoch pkgdesc url license groups provides unset md5sums replaces depends conflicts backup source install changelog build -unset makedepends optdepends options noextract +unset makedepends optdepends options noextract acceptkeys BUILDFILE=${BUILDFILE:-$BUILDSCRIPT} if [[ ! -f $BUILDFILE ]]; then -- 1.9.0