summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPierre Schmitz <pierre@archlinux.de>2012-03-31 15:55:14 +0200
committerDan McGee <dan@archlinux.org>2012-04-07 17:22:10 +0200
commita8f03d07c7eaae02a55065a4a2f098ef6d8b5bff (patch)
tree7405a631ee1b159af42dd9ccbeec5274b127e7d3
parent114d121001d8c3e901d5330b864d58870c6e917b (diff)
downloadpacman-a8f03d07c7eaae02a55065a4a2f098ef6d8b5bff.tar.gz
pacman-a8f03d07c7eaae02a55065a4a2f098ef6d8b5bff.tar.xz
pacman-key: Actually verify signatures and exit with correct codes
We cannot rely on gpg's exit code. Instead we have to check the status-fd to figure out whether a signature is valid or not. In addition to this pacman-key --verify can now be used in scripts as it will return an exit code of 1 if the signature is invalid. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> Signed-off-by: Dan McGee <dan@archlinux.org>
-rw-r--r--scripts/pacman-key.sh.in6
1 files changed, 5 insertions, 1 deletions
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index ccc387b2..278e3d6e 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -439,10 +439,14 @@ refresh_keys() {
}
verify_sig() {
- if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then
+ local fd="$(mktemp)"
+ "${GPG_PACMAN[@]}" --status-file "${fd}" --verify $SIGNATURE
+ if ! grep -q TRUST_FULLY "${fd}"; then
+ rm -f "${fd}"
error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE"
exit 1
fi
+ rm -f "${fd}"
}
updatedb() {