summaryrefslogtreecommitdiffstats
path: root/build-aux/script-wrapper.sh.in
diff options
context:
space:
mode:
authorEli Schwartz <eschwartz@archlinux.org>2018-10-21 19:28:41 +0200
committerAllan McRae <allan@archlinux.org>2018-11-03 12:56:09 +0100
commit635a9c911c419932e4f27eeae349bb265011ca86 (patch)
tree6617d7bea18032a37f42587190b1d5271c5285e0 /build-aux/script-wrapper.sh.in
parentd230ec6f17a2b64ed61936013234414c74e7c29f (diff)
downloadpacman-635a9c911c419932e4f27eeae349bb265011ca86.tar.gz
pacman-635a9c911c419932e4f27eeae349bb265011ca86.tar.xz
pacman-key: just accept one file to verify, and enforce detached sigs
Simply pass options on to gpg the same way gpg uses them -- no looping through and checking lots of signatures. This prevents a situation where the signature file to be verified is manipulated to contain an embedded signature which is valid, but not a detached signature for the file you are actually trying to verify. gpg does not offer an option to verify many files at once by naming each signature/file pair, and there's no reason for us to do so either, since it would be quite tiresome to do so. In the event that there is no signature/file pair specified to pacman-key itself, - preserve gpg's behavior, *if* the matching file does not exist, by - assuming the signature is an embedded signature - deviate from gpg's behavior, by - offering a security warning about which one is happening - when there is an embedded signature *and* a matching detached file, assume the latter is desired Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'build-aux/script-wrapper.sh.in')
0 files changed, 0 insertions, 0 deletions