bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

makepkg: Use read to parse status file during signature verification.

Browse source 
Instead of invoking grep multiple times, parse the status file once.

This refactoring also changes the behvaiour when signature verification
fails due to a missing public key: It is now an error instead of a
warning.

Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Thomas Bächler 2014-05-04 10:30:58 +02:00 committed by Allan McRae
parent 7a5e41925f
commit 34ae6ce4e5
1 changed files with 74 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
scripts/makepkg.sh.in
View file

@ -1244,13 +1244,56 @@ check_checksums() {
fi fi
} }
parse_gpg_statusfile() {
local type arg1 arg6
while read -r _ type arg1 _ _ _ _ arg6 _; do
case "$type" in
GOODSIG)
pubkey=$arg1
success=1
status="good"
;;
EXPSIG)
pubkey=$arg1
success=1
status="expired"
;;
EXPKEYSIG)
pubkey=$arg1
success=1
status="expiredkey"
;;
REVKEYSIG)
pubkey=$arg1
success=0
status="revokedkey"
;;
BADSIG)
pubkey=$arg1
success=0
status="bad"
;;
ERRSIG)
pubkey=$arg1
success=0
if [[ $arg6 == 9 ]]; then
status="missingkey"
else
status="error"
fi
;;
esac
done < "$1"
}
check_pgpsigs() { check_pgpsigs() {
(( SKIPPGPCHECK )) && return 0 (( SKIPPGPCHECK )) && return 0
! source_has_signatures && return 0 ! source_has_signatures && return 0
msg "$(gettext "Verifying source file signatures with %s...")" "gpg" msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
local file pubkey ext decompress found local file ext decompress found pubkey success status
local warning=0 local warning=0
local errors=0 local errors=0
local statusfile=$(mktemp) local statusfile=$(mktemp)
@ -1292,31 +1335,43 @@ check_pgpsigs() {
"") decompress="cat" ;; "") decompress="cat" ;;
esac esac
if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
# these variables are assigned values in parse_gpg_statusfile
success=0
status=
pubkey=
parse_gpg_statusfile "$statusfile"
if (( ! $success )); then
printf '%s' "$(gettext "FAILED")" >&2 printf '%s' "$(gettext "FAILED")" >&2
if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then case "$status" in
"missingkey")
printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2 printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2
warnings=1 ;;
else "revokedkey")
errors=1 printf " ($(gettext "public key %s has been revoked"))" "$pubkey" >&2
fi ;;
printf '\n' >&2 "bad")
else printf ' (%s)' "$(gettext "bad signature from public key") $pubkey" >&2
if grep -q "REVKEYSIG" "$statusfile"; then ;;
printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key has been revoked.")" >&2 "error")
printf ' (%s)' "$(gettext "error during signature verification")" >&2
;;
esac
errors=1 errors=1
else else
printf '%s' "$(gettext "Passed")" >&2 printf '%s' "$(gettext "Passed")" >&2
if grep -q "EXPSIG" "$statusfile"; then case "$status" in
"expired")
printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2 printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2
warnings=1 warnings=1
elif grep -q "EXPKEYSIG" "$statusfile"; then ;;
"expiredkey")
printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2 printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2
warnings=1 warnings=1
fi ;;
esac
fi fi
printf '\n' >&2 printf '\n' >&2
fi
done done
rm -f "$statusfile" rm -f "$statusfile"