[pacman-dev] [PATCH 1/2] Add support for verifying pgp signatures to makepkg

Wieland Hoffmann themineo at googlemail.com
Sun Jun 26 12:21:30 EDT 2011


Hallo, Dan McGee:

>On Thu, Jun 23, 2011 at 2:36 AM, Wieland Hoffmann
><themineo at googlemail.com> wrote:
>> +                       echo "$(gettext "NOT FOUND")" >&2
>> +                       errors=1
>> +                       found=0
>> +               fi
>> +
>> +               if (( found )); then
>> +                       if ! gpg --quiet --batch --verify "$file"
>> 2> /dev/null; then
>> +                               echo "$(gettext "Verification
>> failed")" >&2
>Any need to eat stderr? If things only show up in exceptional cases,
>I'd rather it come through.

After looking at this more thorougly it seems like ALL output will
appear on stderr [0].
I think it's a good idea to eat stderr here and instead use
--status-file to save status messages in a temporary file and then grep
for one of EXPSIG, EXPKEYSIG or REVKEYSIG (yes, gpg exits with status 0
even if the key that signed something has been revoked)[1] and exit
immediately with an error message. Any objections?

[0]
http://lists.gnupg.org/pipermail/gnupg-users/2010-November/039821.html
[1]
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/DETAILS;h=2e1d92bb7c7cbeed9008ed268b365613ab3c5948;hb=refs/heads/STABLE-BRANCH-2-0#l232

-- 
Wieland / Mineo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://mailman.archlinux.org/pipermail/pacman-dev/attachments/20110626/4f9b81a7/attachment.asc>


More information about the pacman-dev mailing list