We pass this to gpg -u and this gpg option can accept a number of
different formats, not just the historical hexadecimal fingerprint we
assumed. We should not barf hard if a format is used which happens to
contain spaces.
This also fixes a validation bug. When we initially check if the desired
key is available, we don't quote spaces, so gpg goes ahead and treats
each space-separated string as a *different key* to search for,
returning partial matches, and returning success if at least one key is
found. But gpg --detach-sign -u will certainly not accept multiple keys!
Fixes FS#66949
Signed-off-by: Eli Schwartz <eschwa...@archlinux.org>
---
v2: fix case of GPGKEY="" with signing enabled reporting that no keys
exist in the keyring. Only expand the quoted GPGKEY if it is non-empty.
scripts/libmakepkg/integrity/generate_signature.sh.in | 6 +++---
scripts/makepkg.sh.in | 2 +-
scripts/repo-add.sh.in | 8 ++++----
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/scripts/libmakepkg/integrity/generate_signature.sh.in
b/scripts/libmakepkg/integrity/generate_signature.sh.in
index aec96c03..748087c2 100644
--- a/scripts/libmakepkg/integrity/generate_signature.sh.in
+++ b/scripts/libmakepkg/integrity/generate_signature.sh.in
@@ -29,12 +29,12 @@ create_signature() {
local ret=0
local filename="$1"
- local SIGNWITHKEY=""
+ local SIGNWITHKEY=()
if [[ -n $GPGKEY ]]; then
- SIGNWITHKEY="-u ${GPGKEY}"
+ SIGNWITHKEY=(-u "${GPGKEY}")
fi
- gpg --detach-sign --use-agent ${SIGNWITHKEY} --no-armor "$filename"
&>/dev/null || ret=$?
+ gpg --detach-sign --use-agent "${SIGNWITHKEY[@]}" --no-armor
"$filename" &>/dev/null || ret=$?
if (( ! ret )); then
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 7261fb2c..cc8de5aa 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1293,7 +1293,7 @@ fi
# check if gpg signature is to be created and if signing key is valid
if { [[ -z $SIGNPKG ]] && check_buildenv "sign" "y"; } || [[ $SIGNPKG == 'y'
]]; then
SIGNPKG='y'
- if ! gpg --list-key ${GPGKEY} &>/dev/null; then
+ if ! gpg --list-key ${GPGKEY:+"$GPGKEY"} &>/dev/null; then
if [[ ! -z $GPGKEY ]]; then
error "$(gettext "The key %s does not exist in your
keyring.")" "${GPGKEY}"
else
diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in
index 545c2929..272d8d22 100644
--- a/scripts/repo-add.sh.in
+++ b/scripts/repo-add.sh.in
@@ -137,7 +137,7 @@ check_gpg() {
fi
if (( ! VERIFY )); then
- if ! gpg --list-key ${GPGKEY} &>/dev/null; then
+ if ! gpg --list-key ${GPGKEY:+"$GPGKEY"} &>/dev/null; then
if [[ ! -z $GPGKEY ]]; then
error "$(gettext "The key ${GPGKEY} does not
exist in your keyring.")"
elif (( ! KEY )); then
@@ -155,11 +155,11 @@ create_signature() {
local ret=0
msg "$(gettext "Signing database '%s'...")" "${dbfile##*/.tmp.}"
- local SIGNWITHKEY=""
+ local SIGNWITHKEY=()
if [[ -n $GPGKEY ]]; then
- SIGNWITHKEY="-u ${GPGKEY}"
+ SIGNWITHKEY=(-u "${GPGKEY}")
fi
- gpg --detach-sign --use-agent --no-armor ${SIGNWITHKEY} "$dbfile"
&>/dev/null || ret=$?
+ gpg --detach-sign --use-agent --no-armor "${SIGNWITHKEY[@]}" "$dbfile"
&>/dev/null || ret=$?
if (( ! ret )); then
msg2 "$(gettext "Created signature file '%s'")"
"${dbfile##*/.tmp.}.sig"
--
2.27.0
