gpg --verify doesn't actually work the way any sane person would think...

2018-06-28 01:43:21 +07:00 · 2018-06-28 01:43:21 +07:00 · 9448638dd3
parent dbb26ca3c9
commit 9448638dd3
2 changed files with 3 additions and 9 deletions
--- a/installer/gpg/maintainer.gpg
+++ b/installer/gpg/maintainer.gpg
--- a/installer/portable/update-filebot.sh
+++ b/installer/portable/update-filebot.sh
@ -1,4 +1,4 @@
-#!/bin/sh -xu
+#!/bin/sh
 PRG="$0"

 # resolve relative symlinks
@ -25,6 +25,7 @@ PACKAGE_URL="@{link.release.index}/HEAD/$PACKAGE_NAME"
 SIGNATURE_FILE="$PACKAGE_FILE.asc"
 SIGNATURE_URL="$PACKAGE_URL.asc"

+
 # use *.asc file to check for updates
 echo "Update $PACKAGE_FILE"
 HTTP_CODE=`curl -L -o "$SIGNATURE_FILE" -z "$SIGNATURE_FILE" --retry 5 "$SIGNATURE_URL" -w "%{http_code}"`
@ -37,14 +38,7 @@ fi
 curl -L -o "$PACKAGE_FILE" -z "$PACKAGE_FILE" --retry 5 "$PACKAGE_URL"


-# initialize gpg
-GPG_HOME="$FILEBOT_HOME/data/.gpg"
-
-if [ ! -d "$GPG_HOME" ]; then
-	mkdir -p "$GPG_HOME" && chmod 700 "$GPG_HOME" && gpg --homedir "$GPG_HOME" --no-default-keyring --keyring "trustedkeys.kbx" --import "$FILEBOT_HOME/maintainer.pub"
-fi
-
 # verify signature and extract tar
-if gpgv --homedir "$GPG_HOME" "$SIGNATURE_FILE" "$PACKAGE_FILE"; then
+if gpgv --homedir "$FILEBOT_HOME" --keyring "maintainer.gpg" "$SIGNATURE_FILE" "$PACKAGE_FILE"; then
 	tar -xvf "$PACKAGE_FILE"
 fi