diff options
author | Erich Eckner <git@eckner.net> | 2017-11-11 00:22:29 +0100 |
---|---|---|
committer | Erich Eckner <git@eckner.net> | 2017-11-11 00:22:29 +0100 |
commit | 2d7471aae8d77315d37c0445cd880cf597a6e0a2 (patch) | |
tree | 97510078de8d9d143f5a9a30baa919d0a630ded9 /bin | |
parent | 3b05c7ea9b3e3d4fd070ed69865f9d2de44f6a47 (diff) | |
download | builder-2d7471aae8d77315d37c0445cd880cf597a6e0a2.tar.xz |
bin/return-assignment: check validity of package signatures
Diffstat (limited to 'bin')
-rwxr-xr-x | bin/return-assignment | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/bin/return-assignment b/bin/return-assignment index e9df686..1acf3fd 100755 --- a/bin/return-assignment +++ b/bin/return-assignment @@ -197,6 +197,26 @@ if [ -n "${missing_files}" ]; then exit 3 fi +# check if the signatures are valid +signatures=$( + find . -maxdepth 1 -name '*.pkg.tar.xz' \ + -printf 'package file %f\n' \ + -exec gpg --batch --status-fd 1 -q --homedir /etc/pacman.d/gnupg --verify '{}.sig' '{}' \; 2> /dev/null +) +if [ -z "$( + echo "${signatures}" | \ + cut -d' ' -f2 | \ + grep -x 'file\|TRUST_FULLY' | \ + sort | \ + uniq -c | \ + awk '{print $1}' | \ + uniq -d +)" ]; then + >&2 echo 'Signature(s) is/are not fully trusted:' + >&2 echo "${signatures}" + exit 3 +fi + # check if the sent packages are the expected ones packages=$( find . -maxdepth 1 -name '*.pkg.tar.xz' -printf '%f\n' |