We cannot rely on gpg's exit code. Instead we have to check the status-fd to
figure out whether a signature is valid or not.
In addition to this pacman-key --verify can now be used in scripts as it will
return an exit code of 1 if the signature is invalid.
Signed-off-by: Pierre Schmitz <pie...@archlinux.de>
---
scripts/pacman-key.sh.in | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/scripts/pacman-key.sh.in b/scripts/pacman-key.sh.in
index b4bad1d..081a10a 100644
--- a/scripts/pacman-key.sh.in
+++ b/scripts/pacman-key.sh.in
@@ -436,10 +436,14 @@ refresh_keys() {
}
verify_sig() {
- if ! "${GPG_PACMAN[@]}" --verify $SIGNATURE ; then
+ local fd="$(mktemp)"
+ "${GPG_PACMAN[@]}" --status-file "${fd}" --verify $SIGNATURE
+ if ! grep -q TRUST_FULLY "${fd}"; then
+ rm -f "${fd}"
error "$(gettext "The signature identified by %s could not be
verified.")" "$SIGNATURE"
exit 1
fi
+ rm -f "${fd}"
}
updatedb() {
--
1.7.9.5
