From 3aa096a74f717d31650e0eb3cf34e9a5ebadc313 Mon Sep 17 00:00:00 2001 From: David Runge Date: Mon, 22 Jan 2024 13:48:15 +0100 Subject: [PATCH] makepkg: Emit early error if signature verification fails Emit an early error message if tag or commit verification with git or detached signature verification with gpg fails. Make `verify_file_signature()` and `verify_git_signature()` return non-zero in this case and set errors to `1`, so that later checks in `check_pgpsigs()`, although still run, can not lead to a positive result. Signed-off-by: David Runge --- .../libmakepkg/integrity/verify_signature.sh.in | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in index 0c1547ee3..ca1d5a868 100644 --- a/scripts/libmakepkg/integrity/verify_signature.sh.in +++ b/scripts/libmakepkg/integrity/verify_signature.sh.in @@ -157,7 +157,13 @@ verify_file_signature() { "") decompress="cat" ;; esac - $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null + # verify the signature and write metadata to a status file + if ! $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null; then + printf '%s\n' "$(gettext "%s is unable to verify the signature.")" "gpg" >&2 + errors=1 + return 1 + fi + return 0 } @@ -189,7 +195,13 @@ verify_git_signature() { printf " %s git repo ... " "${dir##*/}" >&2 - git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile" 2>&1 + # verify the signature and write metadata to a status file + if ! git -C "$dir" verify-$fragtype --raw "$fragval" > "$statusfile" 2>&1; then + printf '%s\n' "$(gettext "%s is unable to verify the signature.")" "git" >&2 + errors=1 + return 1 + fi + if ! grep -qs NEWSIG "$statusfile"; then printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2 errors=1 -- GitLab