[pacman-dev] [PATCHv3 1/3] makepkg: Use read to parse status file during signature verification.
Allan McRae
allan at archlinux.org
Fri May 23 01:32:11 EDT 2014
On 23/05/14 03:24, Andrew Gregory wrote:
> On 05/04/14 at 10:30am, Thomas Bächler wrote:
>> Instead of invoking grep multiple times, parse the status file once.
>>
>> This refactoring also changes the behvaiour when signature verification
>> fails due to a missing public key: It is now an error instead of a
>> warning.
>> ---
>> scripts/makepkg.sh.in | 92 ++++++++++++++++++++++++++++++++++++++++-----------
>> 1 file changed, 73 insertions(+), 19 deletions(-)
>>
>> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
>> index d8cdc88..7eeeaba 100644
>> --- a/scripts/makepkg.sh.in
>> +++ b/scripts/makepkg.sh.in
>> @@ -1244,13 +1244,56 @@ check_checksums() {
>> fi
>> }
>>
>> +parse_gpg_statusfile() {
>> + local type arg1 arg6
>> +
>> + while read -r _ type arg1 _ _ _ _ arg6 _; do
>> + case "$type" in
>> + GOODSIG)
>> + pubkey=$arg1
>> + success=1
>> + status="good"
>> + ;;
>> + EXPSIG)
>> + pubkey=$arg1
>> + success=1
>> + status="expired"
>> + ;;
>> + EXPKEYSIG)
>> + pubkey=$arg1
>> + success=1
>> + status="expiredkey"
>> + ;;
>> + REVKEYSIG)
>> + pubkey=$arg1
>> + success=0
>> + status="revokedkey"
>> + ;;
>> + BADSIG)
>> + pubkey=$arg1
>> + success=0
>> + status="bad"
>> + ;;
>> + ERRSIG)
>> + pubkey=$arg1
>> + success=0
>> + if [[ $arg6 == 9 ]]; then
>> + status="missingkey"
>> + else
>> + status="error"
>> + fi
>> + ;;
>> + esac
>> + done < "$1"
>> +}
>> +
>> check_pgpsigs() {
>> (( SKIPPGPCHECK )) && return 0
>> ! source_has_signatures && return 0
>>
>> msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
>>
>> - local file pubkey ext decompress found
>> + local file ext decompress found pubkey success status
>> local warning=0
>> local errors=0
>> local statusfile=$(mktemp)
>> @@ -1292,31 +1335,42 @@ check_pgpsigs() {
>> "") decompress="cat" ;;
>> esac
>>
>> - if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then
>> + $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
Comment added:
# these variables are assigned values in parse_gpg_statusfile
>> + success=0
>> + status=
>> + pubkey=
>> + parse_gpg_statusfile "$statusfile"
>
> Before this actually gets merged, could we add a comment that
> parse_gpg_statusfile modifies the "local" variables success, status,
> and pubkey? This behavior is non-obvious and makes the following test
> confusing.
>
More information about the pacman-dev
mailing list