55 lines
2 KiB
Diff
55 lines
2 KiB
Diff
|
From 3aa096a74f717d31650e0eb3cf34e9a5ebadc313 Mon Sep 17 00:00:00 2001
|
||
|
From: David Runge <dvzrv@archlinux.org>
|
||
|
Date: Mon, 22 Jan 2024 13:48:15 +0100
|
||
|
Subject: [PATCH] makepkg: Emit early error if signature verification fails
|
||
|
|
||
|
Emit an early error message if tag or commit verification with git or
|
||
|
detached signature verification with gpg fails.
|
||
|
Make `verify_file_signature()` and `verify_git_signature()` return
|
||
|
non-zero in this case and set errors to `1`, so that later checks
|
||
|
in `check_pgpsigs()`, although still run, can not lead to a positive
|
||
|
result.
|
||
|
|
||
|
Signed-off-by: David Runge <dvzrv@archlinux.org>
|
||
|
---
|
||
|
.../libmakepkg/integrity/verify_signature.sh.in | 16 ++++++++++++++--
|
||
|
1 file changed, 14 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in
|
||
|
index 0c1547ee3..ca1d5a868 100644
|
||
|
--- a/scripts/libmakepkg/integrity/verify_signature.sh.in
|
||
|
+++ b/scripts/libmakepkg/integrity/verify_signature.sh.in
|
||
|
@@ -157,7 +157,13 @@ verify_file_signature() {
|
||
|
"") decompress="cat" ;;
|
||
|
esac
|
||
|
|
||
|
- $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
|
||
|
+ # verify the signature and write metadata to a status file
|
||
|
+ if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then
|
||
|
+ printf '%s\n' "$(gettext "%s is unable to verify the signature.")" "gpg" >&2
|
||
|
+ errors=1
|
||
|
+ return 1
|
||
|
+ fi
|
||
|
+
|
||
|
return 0
|
||
|
}
|
||
|
|
||
|
@@ -189,7 +195,13 @@ verify_git_signature() {
|
||
|
|
||
|
printf " %s git repo ... " "${dir##*/}" >&2
|
||
|
|
||
|
- git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile" 2>&1
|
||
|
+ # verify the signature and write metadata to a status file
|
||
|
+ if ! git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile" 2>&1; then
|
||
|
+ printf '%s\n' "$(gettext "%s is unable to verify the signature.")" "git" >&2
|
||
|
+ errors=1
|
||
|
+ return 1
|
||
|
+ fi
|
||
|
+
|
||
|
if ! grep -qs NEWSIG "$statusfile"; then
|
||
|
printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2
|
||
|
errors=1
|
||
|
--
|
||
|
GitLab
|
||
|
|