[pacman-dev] [PATCH 4/4] pacman-key: Actually verify signatures and exit with correct codes

[Pierre Schmitz]

We cannot rely on gpg's exit code. Instead we have to check the status-fd to
figoure out whether a signature is valid or not.

In addition to this pacman-key --verify can now be used in scripts as it will
return an exit code of 1 if the signature is invalid.

Signed-off-by: Pierre Schmitz <pierre at archlinux.de>
---
 scripts/pacman-key.sh.in |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 4c02d7d..c5ecca5 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -436,10 +436,16 @@ refresh_keys() {
 }
 
 verify_sig() {
-	if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then
+	local fd="$(mktemp)"
+	exec 4>"${fd}"
+	"${GPG_PACMAN[@]}" --status-fd 4 --verify $SIGNATURE
+	exec 4>&-
+	if ! grep -q TRUST_FULLY "${fd}"; then
+		rm -f "${fd}"
 		error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE"
 		exit 1
 	fi
+	rm -f "${fd}"
 }
 
 updatedb() {
-- 
1.7.9.4