commit: d61dbc9e5c358314c2aaa2edb1b5f12cc8d53310 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Tue Jan 27 00:13:44 2026 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Tue Jan 27 00:13:44 2026 +0000 URL: https://gitweb.gentoo.org/proj/gentoo-authority-key.git/commit/?id=d61dbc9e
autosign.bash: handle failed ldapsearch I'd observed this back in https://github.com/gentoo/gentoo-authority-key/pull/4#issuecomment-2959920943 but didn't follow up on it as it seemed to be okay, but given we had an issue where some (but not all dev keys) got revoked by the script, let's be careful. Check ${PIPESTATUS} (via the eapi9-pipestatus.eclass impl) after ldapsearch in a subshell and exit if it failed. ldapsearch(1) says: > DIAGNOSTICS > Exit status is zero if no errors occur. Errors result in a non-zero > exit status and a diagnostic message being written to standard error. so it should be OK. Signed-off-by: Sam James <sam <AT> gentoo.org> autosign.bash | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/autosign.bash b/autosign.bash index 10b285f..f829393 100755 --- a/autosign.bash +++ b/autosign.bash @@ -3,6 +3,23 @@ # (c) 2019 Michał Górny # 2-clause BSD license +pipestatus() { + # Copied from eapi9-pipestatus.eclass + local status=( "${PIPESTATUS[@]}" ) + local s ret=0 verbose="" + + [[ ${1} == -v ]] && { verbose=1; shift; } + [[ $# -ne 0 ]] && die "usage: ${FUNCNAME} [-v]" + + for s in "${status[@]}"; do + [[ ${s} -ne 0 ]] && ret=${s} + done + + [[ ${verbose} ]] && echo "${status[@]}" + + return "${ret}" +} + die() { echo "${@}" >&2 exit 1 @@ -50,6 +67,7 @@ get_ldap() { esac done < <(ldapsearch -Z -D '' -LLL "${AUTOSIGN_FILTER:-(gentooStatus=active)}" gpgfingerprint || die "LDAP query failed") + pipestatus || die "LDAP query failed: $?" } # Get UID-fingerprint list of all currently trusted keys.
