Add a function to verify files containing PGP signed messages (i.e. not
using detached signatures). This will be used for projects that publish
signed checksum lists.
Signed-off-by: Michał Górny <mgo...@gentoo.org>
---
eclass/verify-sig.eclass | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index d16181f3bf0a..8445f4e26440 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -111,6 +111,38 @@ verify-sig_verify_detached() {
die "PGP signature verification failed"
}
+# @FUNCTION: verify-sig_verify_message
+# @USAGE: <file> [<key-file>]
+# @DESCRIPTION:
+# Verify that the file ('-' for stdin) contains a valid, signed PGP
+# message. <key-file> can either be passed directly, or it defaults
+# to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification
+# fails, or if the file contains unsigned data.
+verify-sig_verify_message() {
+ local file=${1}
+ local key=${2:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
+
+ [[ -n ${key} ]] ||
+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH
unset"
+
+ local extra_args=()
+ [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
+ [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
+ --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
+ )
+
+ # GPG upstream knows better than to follow the spec, so we can't
+ # override this directory. However, there is a clean fallback
+ # to GNUPGHOME.
+ addpredict /run/user
+
+ local filename=${file##*/}
+ [[ ${file} == - ]] && filename='(stdin)'
+ einfo "Verifying ${filename} ..."
+ gemato openpgp-verify -K "${key}" "${extra_args[@]}" -- "${file}" ||
+ die "PGP signature verification failed"
+}
+
# @FUNCTION: verify-sig_src_unpack
# @DESCRIPTION:
# Default src_unpack override that verifies signatures for all
--
2.29.2
