[pacman-dev] [PATCHv3 1/3] makepkg: Use read to parse status file during signature verification.

[Allan McRae]

On 23/05/14 03:24, Andrew Gregory wrote:
> On 05/04/14 at 10:30am, Thomas Bächler wrote:
>> Instead of invoking grep multiple times, parse the status file once.
>>
>> This refactoring also changes the behvaiour when signature verification
>> fails due to a missing public key: It is now an error instead of a
>> warning.
>> ---
>>  scripts/makepkg.sh.in | 92 ++++++++++++++++++++++++++++++++++++++++-----------
>>  1 file changed, 73 insertions(+), 19 deletions(-)
>>
>> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
>> index d8cdc88..7eeeaba 100644
>> --- a/scripts/makepkg.sh.in
>> +++ b/scripts/makepkg.sh.in
>> @@ -1244,13 +1244,56 @@ check_checksums() {
>>  	fi
>>  }
>>  
>> +parse_gpg_statusfile() {
>> +	local type arg1 arg6
>> +
>> +	while read -r _ type arg1 _ _ _ _ arg6 _; do
>> +		case "$type" in
>> +			GOODSIG)
>> +				pubkey=$arg1
>> +				success=1
>> +				status="good"
>> +				;;
>> +			EXPSIG)
>> +				pubkey=$arg1
>> +				success=1
>> +				status="expired"
>> +				;;
>> +			EXPKEYSIG)
>> +				pubkey=$arg1
>> +				success=1
>> +				status="expiredkey"
>> +				;;
>> +			REVKEYSIG)
>> +				pubkey=$arg1
>> +				success=0
>> +				status="revokedkey"
>> +				;;
>> +			BADSIG)
>> +				pubkey=$arg1
>> +				success=0
>> +				status="bad"
>> +				;;
>> +			ERRSIG)
>> +				pubkey=$arg1
>> +				success=0
>> +				if [[ $arg6 == 9 ]]; then
>> +					status="missingkey"
>> +				else
>> +					status="error"
>> +				fi
>> +				;;
>> +		esac
>> +	done < "$1"
>> +}
>> +
>>  check_pgpsigs() {
>>  	(( SKIPPGPCHECK )) && return 0
>>  	! source_has_signatures && return 0
>>  
>>  	msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
>>  
>> -	local file pubkey ext decompress found
>> +	local file ext decompress found pubkey success status
>>  	local warning=0
>>  	local errors=0
>>  	local statusfile=$(mktemp)
>> @@ -1292,31 +1335,42 @@ check_pgpsigs() {
>>  			"")  decompress="cat" ;;
>>  		esac
>>  
>> -		if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then
>> +		$decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null

Comment added:

# these variables are assigned values in parse_gpg_statusfile

>> +		success=0
>> +		status=
>> +		pubkey=
>> +		parse_gpg_statusfile "$statusfile"
> 
> Before this actually gets merged, could we add a comment that
> parse_gpg_statusfile modifies the "local" variables success, status,
> and pubkey?  This behavior is non-obvious and makes the following test
> confusing.
>