[pacman-dev] [PATCH 4/4] pacman-key: Actually verify signatures and exit with correct codes
Allan McRae
allan at archlinux.org
Sun Mar 25 10:23:35 EDT 2012
On 25/03/12 22:10, Pierre Schmitz wrote:
> We cannot rely on gpg's exit code. Instead we have to check the status-fd to
> figoure out whether a signature is valid or not.
typo ^
> In addition to this pacman-key --verify can now be used in scripts as it will
> return an exit code of 1 if the signature is invalid.
>
> Signed-off-by: Pierre Schmitz <pierre at archlinux.de>
> ---
> scripts/pacman-key.sh.in | 8 +++++++-
> 1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
> index 4c02d7d..c5ecca5 100644
> --- a/scripts/pacman-key.sh.in
> +++ b/scripts/pacman-key.sh.in
> @@ -436,10 +436,16 @@ refresh_keys() {
> }
>
> verify_sig() {
> - if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then
> + local fd="$(mktemp)"
> + exec 4>"${fd}"
> + "${GPG_PACMAN[@]}" --status-fd 4 --verify $SIGNATURE
I think it would be safer to use --status-file here. We do that when
verifying signatures in makepkg.
> + exec 4>&-
> + if ! grep -q TRUST_FULLY "${fd}"; then
> + rm -f "${fd}"
> error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE"
> exit 1
> fi
> + rm -f "${fd}"
> }
>
> updatedb() {
More information about the pacman-dev
mailing list