Instead of invoking grep multiple times, parse the status file once.
This refactoring also changes the behvaiour when signature verification
fails due to a missing public key: It is now an error instead of a
warning.
---
scripts/makepkg.sh.in | 92 ++++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 73 insertions(+), 19 deletions(-)
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index e230c15..5386516 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1244,13 +1244,56 @@ check_checksums() {
fi
}
+parse_gpg_statusfile() {
+ local gnupg type arg1 arg2 arg3 arg4 arg5 arg6 arg7 arg8 arg9 arg10 rest
+
+ while read -r gnupg type arg1 arg2 arg3 arg4 arg5 arg6 arg7 arg8 arg9
arg10 rest; do
+ case "$type" in
+ GOODSIG)
+ pubkey=$arg1
+ success=1
+ status="good"
+ ;;
+ EXPSIG)
+ pubkey=$arg1
+ success=1
+ status="expired"
+ ;;
+ EXPKEYSIG)
+ pubkey=$arg1
+ success=1
+ status="expiredkey"
+ ;;
+ REVKEYSIG)
+ pubkey=$arg1
+ success=0
+ status="revokedkey"
+ ;;
+ BADSIG)
+ pubkey=$arg1
+ success=0
+ status="bad"
+ ;;
+ ERRSIG)
+ pubkey=$arg1
+ success=0
+ if [[ $arg6 == 9 ]]; then
+ status="missingkey"
+ else
+ status="error"
+ fi
+ ;;
+ esac
+ done < "$1"
+}
+
check_pgpsigs() {
(( SKIPPGPCHECK )) && return 0
! source_has_signatures && return 0
msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
- local file pubkey ext decompress found
+ local file ext decompress found pubkey success status
local warning=0
local errors=0
local statusfile=$(mktemp)
@@ -1292,31 +1335,42 @@ check_pgpsigs() {
"") decompress="cat" ;;
esac
- if ! $decompress < "$sourcefile" | gpg --quiet --batch
--status-file "$statusfile" --verify "$file" - 2> /dev/null; then
+ $decompress < "$sourcefile" | gpg --quiet --batch --status-file
"$statusfile" --verify "$file" - 2> /dev/null
+ success=0
+ status=
+ pubkey=
+ parse_gpg_statusfile "$statusfile"
+ if (( ! $success )); then
printf '%s' "$(gettext "FAILED")" >&2
- if ! pubkey=$(awk '/NO_PUBKEY/ { print $3; exit 1; }'
"$statusfile"); then
- printf ' (%s)' "$(gettext "unknown public key")
$pubkey" >&2
- warnings=1
- else
- errors=1
- fi
- printf '\n' >&2
+ case "$status" in
+ "missingkey")
+ printf ' (%s)' "$(gettext "unknown
public key") $pubkey" >&2
+ ;;
+ "revokedkey")
+ printf " ($(gettext "public key %s has
been revoked"))" "$pubkey" >&2
+ ;;
+ "bad")
+ printf ' (%s)' "$(gettext "bad
signature from public key") $pubkey" >&2
+ ;;
+ "error")
+ printf ' (%s)' "$(gettext "error during
signature verification")" >&2
+ ;;
+ esac
+ errors=1
else
- if grep -q "REVKEYSIG" "$statusfile"; then
- printf '%s (%s)' "$(gettext "FAILED")"
"$(gettext "the key has been revoked.")" >&2
- errors=1
- else
- printf '%s' "$(gettext "Passed")" >&2
- if grep -q "EXPSIG" "$statusfile"; then
+ printf '%s' "$(gettext "Passed")" >&2
+ case "$status" in
+ "expired")
printf ' (%s)' "$(gettext "WARNING:")
$(gettext "the signature has expired.")" >&2
warnings=1
- elif grep -q "EXPKEYSIG" "$statusfile"; then
+ ;;
+ "expiredkey")
printf ' (%s)' "$(gettext "WARNING:")
$(gettext "the key has expired.")" >&2
warnings=1
- fi
- fi
- printf '\n' >&2
+ ;;
+ esac
fi
+ printf '\n' >&2
done
rm -f "$statusfile"
--
1.9.0
