From 2d7471aae8d77315d37c0445cd880cf597a6e0a2 Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Sat, 11 Nov 2017 00:22:29 +0100
Subject: bin/return-assignment: check validity of package signatures

---
 bin/return-assignment | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/bin/return-assignment b/bin/return-assignment
index e9df686..1acf3fd 100755
--- a/bin/return-assignment
+++ b/bin/return-assignment
@@ -197,6 +197,26 @@ if [ -n "${missing_files}" ]; then
   exit 3
 fi
 
+# check if the signatures are valid
+signatures=$(
+  find . -maxdepth 1 -name '*.pkg.tar.xz' \
+    -printf 'package file %f\n' \
+    -exec gpg --batch --status-fd 1 -q --homedir /etc/pacman.d/gnupg --verify '{}.sig' '{}' \; 2> /dev/null
+)
+if [ -z "$(
+  echo "${signatures}" | \
+    cut -d' ' -f2 | \
+    grep -x 'file\|TRUST_FULLY' | \
+    sort | \
+    uniq -c | \
+    awk '{print $1}' | \
+    uniq -d
+)" ]; then
+  >&2 echo 'Signature(s) is/are not fully trusted:'
+  >&2 echo "${signatures}"
+  exit 3
+fi
+
 # check if the sent packages are the expected ones
 packages=$(
   find . -maxdepth 1 -name '*.pkg.tar.xz' -printf '%f\n'
-- 
cgit v1.2.3-54-g00ecf