pacman-key: Actually verify signatures and exit with correct codes

We cannot rely on gpg's exit code. Instead we have to check the status-fd to figure out whether a signature is valid or not. In addition to this pacman-key --verify can now be used in scripts as it will return an exit code of 1 if the signature is invalid. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> Signed-off-by: Dan McGee <dan@archlinux.org>
2012-03-31 15:55:14 +02:00 · 2012-03-31 15:55:14 +02:00 · a8f03d07c7
parent 114d121001
commit a8f03d07c7
1 changed files with 5 additions and 1 deletions
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@ -439,10 +439,14 @@ refresh_keys() {
 }

 verify_sig() {
-	if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then
+	local fd="$(mktemp)"
+	"${GPG_PACMAN[@]}" --status-file "${fd}" --verify $SIGNATURE
+	if ! grep -q TRUST_FULLY "${fd}"; then
+		rm -f "${fd}"
 		error "$(gettext "The signature identified by %s could not be verified.")" "$SIGNATURE"
 		exit 1
 	fi
+	rm -f "${fd}"
 }

 updatedb() {