[arch-commits] Commit in krb5/trunk (PKGBUILD)

[Eric Bélanger]

    Date: Wednesday, March 26, 2014 @ 03:25:35
  Author: eric
Revision: 208740

Improve gpg signature check hack (close FS#39060)

Modified:
  krb5/trunk/PKGBUILD

----------+
 PKGBUILD |   59 +++++++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 55 insertions(+), 4 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2014-03-26 00:13:24 UTC (rev 208739)
+++ PKGBUILD	2014-03-26 02:25:35 UTC (rev 208740)
@@ -28,12 +28,10 @@
           'f3677d30dbbd7106c581379c2c6ebb1bf7738912')
 
 prepare() {
-  tar -xf ${pkgname}-${pkgver}.tar.gz
   # the signature and source are bundled together, so signature check needs to be done here
-  local statusfile=$(mktemp)
-  (( SKIPPGPCHECK )) || gpg --quiet --batch --status-file "$statusfile" --verify krb5-${pkgver}.tar.gz.asc krb5-${pkgver}.tar.gz 2> /dev/null
-  rm "$statusfile"
+  _check_pgpsig
 
+  tar -xf ${pkgname}-${pkgver}.tar.gz
   cd ${pkgname}-${pkgver}/src
   # cf https://bugs.gentoo.org/show_bug.cgi?id=448778
   (cd build-tools;  patch -Np2 -i "${srcdir}"/krb5-config_LDFLAGS.patch; cd ..)
@@ -86,3 +84,56 @@
    install -m 644 ../../krb5-{kadmind.service,kdc.service,kpropd.service,kpropd at .service,kpropd.socket} \
       "${pkgdir}"/usr/lib/systemd/system
 }
+
+_check_pgpsig() {
+  (( SKIPPGPCHECK )) && return 0
+
+  msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
+
+  local file=${pkgname}-${pkgver}.tar.gz.asc
+  local sourcefile=${file%.*}
+  local pubkey
+  local warning=0
+  local errors=0
+  local statusfile=$(mktemp)
+
+  printf "    %s ... " "${file%.*}" >&2
+
+  if ! gpg --quiet --batch --status-file "$statusfile" --verify "$file" "$sourcefile" 2> /dev/null; then
+    printf "FAILED" >&2
+    if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then
+      printf " (unknown public key $pubkey)" >&2
+      warnings=1
+    else
+      errors=1
+    fi
+    printf '\n' >&2
+  else
+    if grep -q "REVKEYSIG" "$statusfile"; then
+      printf "FAILED (the key has been revoked.)" >&2
+      errors=1
+    else
+      printf "Passed" >&2
+      if grep -q "EXPSIG" "$statusfile"; then
+        printf " (WARNING: the signature has expired.)" >&2
+        warnings=1
+      elif grep -q "EXPKEYSIG" "$statusfile"; then
+        printf " (WARNING: the key has expired.)" >&2
+        warnings=1
+      fi
+    fi
+    printf '\n' >&2
+  fi
+  
+  rm -f "$statusfile"
+
+  if (( errors )); then
+    error "One or more PGP signatures could not be verified!"
+    exit 1
+  fi
+
+  if (( warnings )); then
+    warning "Warnings have occurred while verifying the signatures."
+    plain "Please make sure you really trust them."
+  fi
+}