[pacman-dev] [PATCH v3 1/3] libmakepkg/integrity: Verify file signatures in a separate function

Eli Schwartz eschwartz93 at gmail.com
Tue Jan 3 20:10:17 UTC 2017


This makes it easier to add signature verification for new protos.

Signed-off-by: Eli Schwartz <eschwartz93 at gmail.com>
---
 .../libmakepkg/integrity/verify_signature.sh.in    | 84 ++++++++++++----------
 1 file changed, 46 insertions(+), 38 deletions(-)

diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in
index 6df62727..6ffc6df4 100644
--- a/scripts/libmakepkg/integrity/verify_signature.sh.in
+++ b/scripts/libmakepkg/integrity/verify_signature.sh.in
@@ -32,7 +32,7 @@ check_pgpsigs() {
 
 	msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
 
-	local file ext decompress found pubkey success status fingerprint trusted
+	local netfile pubkey success status fingerprint trusted
 	local warning=0
 	local errors=0
 	local statusfile=$(mktemp)
@@ -46,44 +46,9 @@ check_pgpsigs() {
 			get_all_sources_for_arch 'all_sources'
 			;;
 	esac
-	for file in "${all_sources[@]}"; do
-		file="$(get_filename "$file")"
-		if [[ $file != *.@(sig?(n)|asc) ]]; then
-			continue
-		fi
+	for netfile in "${all_sources[@]}"; do
+		verify_file_signature "$netfile" "$statusfile" || continue
 
-		printf "    %s ... " "${file%.*}" >&2
-
-		if ! file="$(get_filepath "$file")"; then
-			printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2
-			errors=1
-			continue
-		fi
-
-		found=0
-		for ext in "" gz bz2 xz lrz lzo Z; do
-			if sourcefile="$(get_filepath "${file%.*}${ext:+.$ext}")"; then
-				found=1
-				break;
-			fi
-		done
-		if (( ! found )); then
-			printf '%s\n' "$(gettext "SOURCE FILE NOT FOUND")" >&2
-			errors=1
-			continue
-		fi
-
-		case "$ext" in
-			gz)  decompress="gzip -c -d -f" ;;
-			bz2) decompress="bzip2 -c -d -f" ;;
-			xz)  decompress="xz -c -d" ;;
-			lrz) decompress="lrzip -q -d" ;;
-			lzo) decompress="lzop -c -d -q" ;;
-			Z)   decompress="uncompress -c -f" ;;
-			"")  decompress="cat" ;;
-		esac
-
-		$decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
 		# these variables are assigned values in parse_gpg_statusfile
 		success=0
 		status=
@@ -145,6 +110,49 @@ check_pgpsigs() {
 	fi
 }
 
+verify_file_signature() {
+	local netfile="$1" statusfile="$2"
+	local file ext decompress found sourcefile
+
+	file="$(get_filename "$netfile")"
+	if [[ $file != *.@(sig?(n)|asc) ]]; then
+		return 1
+	fi
+
+	printf "    %s ... " "${file%.*}" >&2
+
+	if ! file="$(get_filepath "$netfile")"; then
+		printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2
+		errors=1
+		return 1
+	fi
+
+	found=0
+	for ext in "" gz bz2 xz lrz lzo Z; do
+		if sourcefile="$(get_filepath "${file%.*}${ext:+.$ext}")"; then
+			found=1
+			break;
+		fi
+	done
+	if (( ! found )); then
+		printf '%s\n' "$(gettext "SOURCE FILE NOT FOUND")" >&2
+		errors=1
+		return 1
+	fi
+
+	case "$ext" in
+		gz)  decompress="gzip -c -d -f" ;;
+		bz2) decompress="bzip2 -c -d -f" ;;
+		xz)  decompress="xz -c -d" ;;
+		lrz) decompress="lrzip -q -d" ;;
+		lzo) decompress="lzop -c -d -q" ;;
+		Z)   decompress="uncompress -c -f" ;;
+		"")  decompress="cat" ;;
+	esac
+
+	$decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
+}
+
 parse_gpg_statusfile() {
 	local type arg1 arg6 arg10
 
-- 
2.11.0


More information about the pacman-dev mailing list