summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Bächler <thomas@archlinux.org>2014-05-04 10:30:58 +0200
committerAllan McRae <allan@archlinux.org>2014-05-23 07:30:54 +0200
commit34ae6ce4e5a47b11b7fa55b94bc476f294b004bc (patch)
tree20892a0d2af1a00ec39bd2e67445a7dcafc693f5
parent7a5e41925f72d838eaa611427e5ae89b1f57215f (diff)
downloadpacman-34ae6ce4e5a47b11b7fa55b94bc476f294b004bc.tar.gz
pacman-34ae6ce4e5a47b11b7fa55b94bc476f294b004bc.tar.xz
makepkg: Use read to parse status file during signature verification.
Instead of invoking grep multiple times, parse the status file once. This refactoring also changes the behvaiour when signature verification fails due to a missing public key: It is now an error instead of a warning. Signed-off-by: Allan McRae <allan@archlinux.org>
-rw-r--r--scripts/makepkg.sh.in93
1 files changed, 74 insertions, 19 deletions
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 95994dd0..aa2a2f3c 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1244,13 +1244,56 @@ check_checksums() {
fi
}
+parse_gpg_statusfile() {
+ local type arg1 arg6
+
+ while read -r _ type arg1 _ _ _ _ arg6 _; do
+ case "$type" in
+ GOODSIG)
+ pubkey=$arg1
+ success=1
+ status="good"
+ ;;
+ EXPSIG)
+ pubkey=$arg1
+ success=1
+ status="expired"
+ ;;
+ EXPKEYSIG)
+ pubkey=$arg1
+ success=1
+ status="expiredkey"
+ ;;
+ REVKEYSIG)
+ pubkey=$arg1
+ success=0
+ status="revokedkey"
+ ;;
+ BADSIG)
+ pubkey=$arg1
+ success=0
+ status="bad"
+ ;;
+ ERRSIG)
+ pubkey=$arg1
+ success=0
+ if [[ $arg6 == 9 ]]; then
+ status="missingkey"
+ else
+ status="error"
+ fi
+ ;;
+ esac
+ done < "$1"
+}
+
check_pgpsigs() {
(( SKIPPGPCHECK )) && return 0
! source_has_signatures && return 0
msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
- local file pubkey ext decompress found
+ local file ext decompress found pubkey success status
local warning=0
local errors=0
local statusfile=$(mktemp)
@@ -1292,31 +1335,43 @@ check_pgpsigs() {
"") decompress="cat" ;;
esac
- if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then
+ $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
+ # these variables are assigned values in parse_gpg_statusfile
+ success=0
+ status=
+ pubkey=
+ parse_gpg_statusfile "$statusfile"
+ if (( ! $success )); then
printf '%s' "$(gettext "FAILED")" >&2
- if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }' "$statusfile"); then
- printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2
- warnings=1
- else
- errors=1
- fi
- printf '\n' >&2
+ case "$status" in
+ "missingkey")
+ printf ' (%s)' "$(gettext "unknown public key") $pubkey" >&2
+ ;;
+ "revokedkey")
+ printf " ($(gettext "public key %s has been revoked"))" "$pubkey" >&2
+ ;;
+ "bad")
+ printf ' (%s)' "$(gettext "bad signature from public key") $pubkey" >&2
+ ;;
+ "error")
+ printf ' (%s)' "$(gettext "error during signature verification")" >&2
+ ;;
+ esac
+ errors=1
else
- if grep -q "REVKEYSIG" "$statusfile"; then
- printf '%s (%s)' "$(gettext "FAILED")" "$(gettext "the key has been revoked.")" >&2
- errors=1
- else
- printf '%s' "$(gettext "Passed")" >&2
- if grep -q "EXPSIG" "$statusfile"; then
+ printf '%s' "$(gettext "Passed")" >&2
+ case "$status" in
+ "expired")
printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2
warnings=1
- elif grep -q "EXPKEYSIG" "$statusfile"; then
+ ;;
+ "expiredkey")
printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2
warnings=1
- fi
- fi
- printf '\n' >&2
+ ;;
+ esac
fi
+ printf '\n' >&2
done
rm -f "$statusfile"