Instead of invoking grep multiple times, parse the status file once. This refactoring also changes the behvaiour when signature verification fails due to a missing public key: It is now an error instead of a warning. --- scripts/makepkg.sh.in | 92 ++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 73 insertions(+), 19 deletions(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index e230c15..5386516 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1244,13 +1244,56 @@ check_checksums() { fi } +parse_gpg_statusfile() { + local gnupg type arg1 arg2 arg3 arg4 arg5 arg6 arg7 arg8 arg9 arg10 rest + + while read -r gnupg type arg1 arg2 arg3 arg4 arg5 arg6 arg7 arg8 arg9 arg10 rest; do + case "$type" in + GOODSIG) + pubkey=$arg1 + success=1 + status="good" + ;; + EXPSIG) + pubkey=$arg1 + success=1 + status="expired" + ;; + EXPKEYSIG) + pubkey=$arg1 + success=1 + status="expiredkey" + ;; + REVKEYSIG) + pubkey=$arg1 + success=0 + status="revokedkey" + ;; + BADSIG) + pubkey=$arg1 + success=0 + status="bad" + ;; + ERRSIG) + pubkey=$arg1 + success=0 + if [[ $arg6 == 9 ]]; then + status="missingkey" + else + status="error" + fi + ;; + esac + done < "$1" +} + check_pgpsigs() { (( SKIPPGPCHECK )) && return 0 ! source_has_signatures && return 0 msg "$(gettext "Verifying source file signatures with %s...")" "gpg" - local file pubkey ext decompress found + local file ext decompress found pubkey success status local warning=0 local errors=0 local statusfile=$(mktemp) @@ -1292,31 +1335,42 @@ check_pgpsigs() { "") decompress="cat" ;; esac - if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then + $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null + success=0 + status= + pubkey= + parse_gpg_statusfile "$statusfile" + if (( ! $success )); then printf '%s' "$(gettext "FAILED")" >&2 - if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then - printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2 - warnings=1 - else - errors=1 - fi - printf '\n' >&2 + case "$status" in + "missingkey") + printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2 + ;; + "revokedkey") + printf " ($(gettext "public key %s has been revoked"))" "$pubkey" >&2 + ;; + "bad") + printf ' (%s)' "$(gettext "bad signature from public key") $pubkey" >&2 + ;; + "error") + printf ' (%s)' "$(gettext "error during signature verification")" >&2 + ;; + esac + errors=1 else - if grep -q "REVKEYSIG" "$statusfile"; then - printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key has been revoked.")" >&2 - errors=1 - else - printf '%s' "$(gettext "Passed")" >&2 - if grep -q "EXPSIG" "$statusfile"; then + printf '%s' "$(gettext "Passed")" >&2 + case "$status" in + "expired") printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2 warnings=1 - elif grep -q "EXPKEYSIG" "$statusfile"; then + ;; + "expiredkey") printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2 warnings=1 - fi - fi - printf '\n' >&2 + ;; + esac fi + printf '\n' >&2 done rm -f "$statusfile" -- 1.9.0