Improve exit statuses and error messages in pacman-key

Return codes from gpg commands are currently lost. This adds the functionality
of taking non-zero exit statuses from gpg. This includes error reporting for all
gpg commands that are run individually, run in a loop, and run through a pipe.

Includes the check_keyids_exist function which verifies a key exists locally
prior to attempted local manipulation of the key.

If a gpg command has a non-zero status, pacman-key will now exit with a non-zero
status. It will print a gettext error message of gpg's failure.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>

1 files changed, 95 insertions, 23 deletions

diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index 02df8c50..b7c77d82 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -144,6 +144,20 @@ add_gpg_conf_option() {
 	fi
 }
 
+check_keyids_exist() {
+	local ret=0
+	for key in "${KEYIDS[@]}"; do
+		# Verify if the key exists in pacman's keyring
+		if ! "${GPG_PACMAN[@]}" --list-keys "$key" &>/dev/null ; then
+			error "$(gettext "The key identified by %s could not be found locally.")" "$key"
+			ret=1
+		fi
+	done
+	if (( ret )); then
+		exit 1
+	fi
+}
+
 initialize() {
 	local conffile keyserv
 	# Check for simple existence rather than for a directory as someone
@@ -339,85 +353,143 @@ populate_keyring() {
 }
 
 add_keys() {
-	"${GPG_PACMAN[@]}" --quiet --batch --import "${KEYFILES[@]}"
+	if ! "${GPG_PACMAN[@]}" --quiet --batch --import "${KEYFILES[@]}" ; then
+		error "$(gettext "A specified keyfile could not be added to the gpg keychain.")"
+		exit 1
+	fi
 }
 
 delete_keys() {
-	"${GPG_PACMAN[@]}" --quiet --batch --delete-key --yes "${KEYIDS[@]}"
+	check_keyids_exist
+	if ! "${GPG_PACMAN[@]}" --quiet --batch --delete-key --yes "${KEYIDS[@]}" ; then
+		error "$(gettext "A specified key could not be removed from the gpg keychain.")"
+		exit 1
+	fi
 }
 
 edit_keys() {
-	local errors=0;
+	check_keyids_exist
+	local ret=0
 	for key in "${KEYIDS[@]}"; do
-		# Verify if the key exists in pacman's keyring
-		if ! "${GPG_PACMAN[@]}" --list-keys "$key" &>/dev/null; then
-			error "$(gettext "The key identified by %s does not exist.")" "$key"
-			errors=1;
+		if ! "${GPG_PACMAN[@]}" --edit-key "$key" ; then
+			error "$(gettext "The key identified by %s could not be edited.")" "$key"
+			ret=1
 		fi
 	done
-	(( errors )) && exit 1;
-
-	for key in "${KEYIDS[@]}"; do
-		"${GPG_PACMAN[@]}" --edit-key "$key"
-	done
+	if (( ret )); then
+		exit 1
+	fi
 }
 
 export_keys() {
-	"${GPG_PACMAN[@]}" --armor --export "${KEYIDS[@]}"
+	check_keyids_exist
+	if ! "${GPG_PACMAN[@]}" --armor --export "${KEYIDS[@]}" ; then
+		error "$(gettext "A specified key could not be exported from the gpg keychain.")"
+		exit 1
+	fi
 }
 
 finger_keys() {
-	"${GPG_PACMAN[@]}" --batch --fingerprint "${KEYIDS[@]}"
+	check_keyids_exist
+	if ! "${GPG_PACMAN[@]}" --batch --fingerprint "${KEYIDS[@]}" ; then
+		error "$(gettext "The fingerprint of a specified key could not be determined.")"
+		exit 1
+	fi
 }
 
 import_trustdb() {
 	local importdir
-
+	local ret=0
 	for importdir in "${IMPORT_DIRS[@]}"; do
 		if [[ -f "${importdir}/trustdb.gpg" ]]; then
 			gpg --homedir "${importdir}" --export-ownertrust | \
 				"${GPG_PACMAN[@]}" --import-ownertrust -
+			if (( PIPESTATUS )); then
+				error "$(gettext "%s could not be imported.")" "${importdir}/trustdb.gpg"
+				ret=1
+			fi
+		else
+			error "$(gettext "File %s does not exist and could not be imported.")" "${importdir}/trustdb.gpg"
+			ret=1
 		fi
 	done
+	if (( ret )); then
+		exit 1
+	fi
 }
 
 import() {
 	local importdir
-
+	local ret=0
 	for importdir in "${IMPORT_DIRS[@]}"; do
 		if [[ -f "${importdir}/pubring.gpg" ]]; then
-			"${GPG_PACMAN[@]}" --quiet --batch --import "${importdir}/pubring.gpg"
+			if ! "${GPG_PACMAN[@]}" --quiet --batch --import "${importdir}/pubring.gpg" ; then
+				error "$(gettext "%s could not be imported.")" "${importdir}/pubring.gpg"
+				ret=1
+			fi
+		else
+			error "$(gettext "File %s does not exist and could not be imported.")" "${importdir}/pubring.gpg"
+			ret=1
 		fi
 	done
+	if (( ret )); then
+		exit 1
+	fi
 }
 
 list_keys() {
-	"${GPG_PACMAN[@]}" --batch --list-keys "${KEYIDS[@]}"
+	check_keyids_exist
+	if ! "${GPG_PACMAN[@]}" --batch --list-keys "${KEYIDS[@]}" ; then
+		error "$(gettext "A specified key could not be listed.")"
+		exit 1
+	fi
 }
 
 list_sigs() {
-	"${GPG_PACMAN[@]}" --batch --list-sigs "${KEYIDS[@]}"
+	check_keyids_exist
+	if ! "${GPG_PACMAN[@]}" --batch --list-sigs "${KEYIDS[@]}" ; then
+		error "$(gettext "A specified signature could not be listed.")"
+		exit 1
+	fi
 }
 
 lsign_keys() {
+	check_keyids_exist
 	printf 'y\ny\n' | LANG=C "${GPG_PACMAN[@]}" --command-fd 0 --quiet --batch --lsign-key "${KEYIDS[@]}" 2>/dev/null
+	if (( PIPESTATUS[1] )); then
+		error "$(gettext "A specified key could not be locally signed.")"
+		exit 1
+	fi
 }
 
 receive_keys() {
-	"${GPG_PACMAN[@]}" --recv-keys "${KEYIDS[@]}"
+	if ! "${GPG_PACMAN[@]}" --recv-keys "${KEYIDS[@]}" ; then
+		error "$(gettext "Remote key not fetched correctly from keyserver.")"
+		exit 1
+	fi
 }
 
 refresh_keys() {
-	"${GPG_PACMAN[@]}" --refresh-keys "${KEYIDS[@]}"
+	check_keyids_exist
+	if ! "${GPG_PACMAN[@]}" --refresh-keys "${KEYIDS[@]}" ; then
+		error "$(gettext "A specified local key could not be updated from a keyserver.")"
+		exit 1
+	fi
 }
 
 verify_sig() {
-	"${GPG_PACMAN[@]}" --verify $SIGNATURE
+	if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then
+		error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE"
+		exit 1
+	fi
 }
 
 updatedb() {
 	msg "$(gettext "Updating trust database...")"
-	"${GPG_PACMAN[@]}" --batch --check-trustdb
+	if ! "${GPG_PACMAN[@]}" --batch --check-trustdb ; then
+		error "$(gettext "Trust database could not be updated.")"
+		exit 1
+	fi
 }
 
 # PROGRAM START