From c7c4c2a7d21fe99cc564fb2d8ecebd121c999217 Mon Sep 17 00:00:00 2001
From: Allan McRae <allan@archlinux.org>
Date: Sun, 18 Feb 2024 21:45:51 +1000
Subject: [PATCH] verify_signature: wait as long as possible before bailing

Bailing early caused problems with makepkg failing on verify but expired
signatures.  As this is often out of the packagers control, and it is
better to verify a signature than not, we try bailing as late as possible
and let makepkg warn about the expired signature.

Signed-off-by: Allan McRae <allan@archlinux.org>
---
 .../integrity/verify_signature.sh.in          | 28 +++----------------
 1 file changed, 4 insertions(+), 24 deletions(-)

diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in
index d52290b5..1d59231c 100644
--- a/scripts/libmakepkg/integrity/verify_signature.sh.in
+++ b/scripts/libmakepkg/integrity/verify_signature.sh.in
@@ -164,19 +164,9 @@ verify_file_signature() {
 		"")  decompress="cat" ;;
 	esac
 
-	# verify the signature and write metadata to a status file
-	if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile_raw" --verify "$file" - 2> /dev/null; then
-		printf '%s %s\n' "gpg" "$(gettext "is unable to verify the signature.")" >&2
-		errors=1
-		return 1
-	fi
-
 	# create a statusfile that contains only understood terms
-	if ! filter_gnupg_statusfile > "$statusfile" < "$statusfile_raw"; then
-		printf '%s\n' "$(gettext "unable to extract signature metadata.")" >&2
-		errors=1
-		return 1
-	fi
+	$decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile_raw" --verify "$file" - 2> /dev/null
+	filter_gnupg_statusfile > "$statusfile" < "$statusfile_raw"
 
 	return 0
 }
@@ -209,19 +199,9 @@ verify_git_signature() {
 
 	printf "    %s git repo ... " "${dir##*/}" >&2
 
-	# verify the signature and write metadata to a status file
-	if ! git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile_raw" 2>&1; then
-		printf '%s %s\n' "git" "$(gettext "is unable to verify the signature.")" >&2
-		errors=1
-		return 1
-	fi
-
 	# create a statusfile that contains only understood terms
-	if ! filter_gnupg_statusfile > "$statusfile" < "$statusfile_raw"; then
-		printf '%s\n' "$(gettext "unable to extract signature metadata.")" >&2
-		errors=1
-		return 1
-	fi
+	git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile_raw" 2>&1
+	filter_gnupg_statusfile > "$statusfile" < "$statusfile_raw"
 
 	return 0
 }