This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch main in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=f10f1fbe9e52a6be500504f23d8f5b4a429e9d53 commit f10f1fbe9e52a6be500504f23d8f5b4a429e9d53 Author: Guillem Jover <[email protected]> AuthorDate: Sun Nov 6 13:55:13 2022 +0100 Dpkg::OpenPGP: Reintroduce gpg fallback for signature verification While the stated goal of commit f7f88cc62a86d4b96f2c9b0479f495a198d5a59d is still valid, it makes adding multiple backend implementations harder as specific command for verification both inline and detached signatures is not a commonly provided interface. And then we need to check that depending on the backend both commands are available when requiring the full API. --- scripts/Dpkg/OpenPGP.pm | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/scripts/Dpkg/OpenPGP.pm b/scripts/Dpkg/OpenPGP.pm index 7e7be1444..22d0baf08 100644 --- a/scripts/Dpkg/OpenPGP.pm +++ b/scripts/Dpkg/OpenPGP.pm @@ -176,11 +176,17 @@ sub _gpg_options_weak_digests { sub _gpg_verify { my ($self, $signeddata, $sig, $data, @certs) = @_; - return OPENPGP_MISSING_CMD unless $self->{has_cmd}{gpgv}; + return OPENPGP_MISSING_CMD if ! $self->{has_cmd}{gpgv} || ! $self->{has_cmd}{gpg}; my $gpg_home = File::Temp->newdir('dpkg-gpg-verify.XXXXXXXX', TMPDIR => 1); - my @exec = qw(gpgv); + my @exec; + if ($self->{has_cmd}{gpgv}) { + push @exec, qw(gpgv); + } else { + push @exec, qw(gpg); + push @exec, qw(--no-options --no-default-keyring --batch --quiet); + } push @exec, _gpg_options_weak_digests(); push @exec, '--homedir', $gpg_home; foreach my $cert (@certs) { @@ -190,6 +196,9 @@ sub _gpg_verify { push @exec, '--keyring', $certring; } push @exec, '--output', $data if defined $data; + if (! $self->{has_cmd}{gpgv}) { + push @exec, '--verify'; + } push @exec, $sig if defined $sig; push @exec, $signeddata; -- Dpkg.Org's dpkg
