Re: [pacman-dev] [PATCH 3/3] makepkg: Introduce validpgpkeys array

Sat, 08 Mar 2014 09:35:22 -0800 

Am 08.03.2014 18:20, schrieb Dave Reisner:
>> +    pubkey=$(grep VALIDSIG "$statusfile" | sed -nr 's/.* VALIDSIG 
>> ([A-Z0-9]*) .*/\1/p;')
> 
> I think you just want:
> 
>   pubkey=$(sed -n '/VALIDSIG/ s/.* VALIDSIG \([[:alnum:]]*\) .*/\1/p' 
> "$statusfile")
> 
> sed's -r flag isn't portable.

I took that from another place in makepkg:

scripts/makepkg.sh.in:1740:             for sofile in $(LC_ALL=C readelf
-d "$filename" 2>/dev/null | sed -nr 's/.*Shared library: \[(.*)\].*/\1/p')

If it's not portable, it should be fixed there, too.

>> +    echo "$pubkey"
> 
> Don't you only want to echo this if the check that follows succeeds?

Actually, I only need it in the failure case.

>> +    in_array "$pubkey" ${validpgpkeys[@]}
> 
> The array needs quoting.

Not according to the documentation, but sure, I'll add it.

>> +    return $?
> 
> Wholly redundant for this function in its current form.

You are right, although I hate that implicit return value stuff in bash.

>> +}
>> +
>>  check_pgpsigs() {
>>      (( SKIPPGPCHECK )) && return 0
>>      ! source_has_signatures && return 0
>> @@ -1303,9 +1312,12 @@ check_pgpsigs() {
>>                      if grep -q "REVKEYSIG" "$statusfile"; then
>>                              printf '%s (%s)' "$(gettext "FAILED")" 
>> "$(gettext "the key has been revoked.")" >&2
>>                              errors=1
>> -                    elif grep -q -e "TRUST_UNDEFINED" -e "TRUST_NEVER" 
>> "$statusfile"; then
>> +                    elif (( ${#validpgpkeys[@]} == 0 )) && grep -q -e 
>> "TRUST_UNDEFINED" -e "TRUST_NEVER" "$statusfile"; then
>>                              printf '%s (%s)' "$(gettext "FAILED")" 
>> "$(gettext "the key is not trusted")" >&2
>>                              errors=1
>> +                    elif (( ${#validpgpkeys[@]} > 0 )) && ! 
>> pubkey=$(is_valid_pgpkey "$statusfile"); then
>> +                            printf "%s (%s $pubkey)" "$(gettext "FAILED")" 
>> "$(gettext "invalid key")"
>> +                            errors=1
> 
> Is there a decent way to extract the real status from the file once and
> then do string comparisons in bash, rather than forking to grep all the
> time?

You just used the word 'decent' in a sentence that talks about gnupg.

We could use read to parse the file, set some variables and test those.
Is that desirable?

Attachment: signature.asc
Description: OpenPGP digital signature






















					Reply via email to