From f32a264796b3b43662b4734f1730d7a819d32484 Mon Sep 17 00:00:00 2001
From: Levente Polyak <anthraxx@archlinux.org>
Date: Thu, 19 Sep 2019 20:58:00 +0200
Subject: commitpkg: prefer explicit signature+data parameters for gpg --verify

Lets prefer the explicit variant of gpg --verify by providing both, the
signature and the data file as parameters.
For the unlikely case there is a matching signature file already present
that was created outside of the toolchain and has an embedded signature
with data, we at least could detect it early with this check.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
---
 commitpkg.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/commitpkg.in b/commitpkg.in
index d55ce37..31b2443 100644
--- a/commitpkg.in
+++ b/commitpkg.in
@@ -162,8 +162,8 @@ for _arch in "${arch[@]}"; do
 			fi
 			gpg --detach-sign --use-agent --no-armor "${SIGNWITHKEY[@]}" "${pkgfile}" || die
 		fi
-		if ! gpg --verify "$sigfile" >/dev/null 2>&1; then
-			die "Signature %s.sig is incorrect!" "$pkgfile"
+		if ! gpg --verify "$sigfile" "$pkgfile" >/dev/null 2>&1; then
+			die "Signature %s is incorrect!" "$sigfile"
 		fi
 		uploads+=("$sigfile")
 	done
-- 
cgit v1.2.3-24-g4f1b