[pacman-dev] [PATCHv3 1/3] makepkg: Use read to parse status file during signature verification.

Andrew Gregory andrew.gregory.8 at gmail.com
Thu May 22 13:24:04 EDT 2014


On 05/04/14 at 10:30am, Thomas Bächler wrote:
> Instead of invoking grep multiple times, parse the status file once.
> 
> This refactoring also changes the behvaiour when signature verification
> fails due to a missing public key: It is now an error instead of a
> warning.
> ---
>  scripts/makepkg.sh.in | 92 ++++++++++++++++++++++++++++++++++++++++-----------
>  1 file changed, 73 insertions(+), 19 deletions(-)
> 
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index d8cdc88..7eeeaba 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -1244,13 +1244,56 @@ check_checksums() {
>  	fi
>  }
>  
> +parse_gpg_statusfile() {
> +	local type arg1 arg6
> +
> +	while read -r _ type arg1 _ _ _ _ arg6 _; do
> +		case "$type" in
> +			GOODSIG)
> +				pubkey=$arg1
> +				success=1
> +				status="good"
> +				;;
> +			EXPSIG)
> +				pubkey=$arg1
> +				success=1
> +				status="expired"
> +				;;
> +			EXPKEYSIG)
> +				pubkey=$arg1
> +				success=1
> +				status="expiredkey"
> +				;;
> +			REVKEYSIG)
> +				pubkey=$arg1
> +				success=0
> +				status="revokedkey"
> +				;;
> +			BADSIG)
> +				pubkey=$arg1
> +				success=0
> +				status="bad"
> +				;;
> +			ERRSIG)
> +				pubkey=$arg1
> +				success=0
> +				if [[ $arg6 == 9 ]]; then
> +					status="missingkey"
> +				else
> +					status="error"
> +				fi
> +				;;
> +		esac
> +	done < "$1"
> +}
> +
>  check_pgpsigs() {
>  	(( SKIPPGPCHECK )) && return 0
>  	! source_has_signatures && return 0
>  
>  	msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
>  
> -	local file pubkey ext decompress found
> +	local file ext decompress found pubkey success status
>  	local warning=0
>  	local errors=0
>  	local statusfile=$(mktemp)
> @@ -1292,31 +1335,42 @@ check_pgpsigs() {
>  			"")  decompress="cat" ;;
>  		esac
>  
> -		if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then
> +		$decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
> +		success=0
> +		status=
> +		pubkey=
> +		parse_gpg_statusfile "$statusfile"

Before this actually gets merged, could we add a comment that
parse_gpg_statusfile modifies the "local" variables success, status,
and pubkey?  This behavior is non-obvious and makes the following test
confusing.

> +		if (( ! $success )); then
>  			printf '%s' "$(gettext "FAILED")" >&2
> -			if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then
> -				printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2
> -				warnings=1
> -			else
> -				errors=1
> -			fi
> -			printf '\n' >&2
> +			case "$status" in
> +				"missingkey")
> +					printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2
> +					;;
> +				"revokedkey")
> +					printf " ($(gettext "public key %s has been revoked"))" "$pubkey" >&2
> +					;;
> +				"bad")
> +					printf ' (%s)' "$(gettext "bad signature from public key") $pubkey" >&2
> +					;;
> +				"error")
> +					printf ' (%s)' "$(gettext "error during signature verification")" >&2
> +					;;
> +			esac
> +			errors=1
>  		else
> -			if grep -q "REVKEYSIG" "$statusfile"; then
> -				printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key has been revoked.")" >&2
> -				errors=1
> -			else
> -				printf '%s' "$(gettext "Passed")" >&2
> -				if grep -q "EXPSIG" "$statusfile"; then
> +			printf '%s' "$(gettext "Passed")" >&2
> +			case "$status" in
> +				"expired")
>  					printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2
>  					warnings=1
> -				elif grep -q "EXPKEYSIG" "$statusfile"; then
> +					;;
> +				"expiredkey")
>  					printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2
>  					warnings=1
> -				fi
> -			fi
> -			printf '\n' >&2
> +					;;
> +			esac
>  		fi
> +		printf '\n' >&2
>  	done
>  
>  	rm -f "$statusfile"
> -- 
> 1.9.2


More information about the pacman-dev mailing list