Add a function to verify files containing PGP signed messages (i.e. not using detached signatures). This will be used for projects that publish signed checksum lists.
Signed-off-by: Michał Górny <mgo...@gentoo.org> --- eclass/verify-sig.eclass | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index d16181f3bf0a..8445f4e26440 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -111,6 +111,38 @@ verify-sig_verify_detached() { die "PGP signature verification failed" } +# @FUNCTION: verify-sig_verify_message +# @USAGE: <file> [<key-file>] +# @DESCRIPTION: +# Verify that the file ('-' for stdin) contains a valid, signed PGP +# message. <key-file> can either be passed directly, or it defaults +# to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification +# fails, or if the file contains unsigned data. +verify-sig_verify_message() { + local file=${1} + local key=${2:-${VERIFY_SIG_OPENPGP_KEY_PATH}} + + [[ -n ${key} ]] || + die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset" + + local extra_args=() + [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R ) + [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=( + --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}" + ) + + # GPG upstream knows better than to follow the spec, so we can't + # override this directory. However, there is a clean fallback + # to GNUPGHOME. + addpredict /run/user + + local filename=${file##*/} + [[ ${file} == - ]] && filename='(stdin)' + einfo "Verifying ${filename} ..." + gemato openpgp-verify -K "${key}" "${extra_args[@]}" -- "${file}" || + die "PGP signature verification failed" +} + # @FUNCTION: verify-sig_src_unpack # @DESCRIPTION: # Default src_unpack override that verifies signatures for all -- 2.29.2