summaryrefslogtreecommitdiff
path: root/scripts/libmakepkg/integrity
diff options
context:
space:
mode:
authorEli Schwartz <eschwartz93@gmail.com>2017-01-03 15:10:17 -0500
committerAllan McRae <allan@archlinux.org>2017-01-04 13:59:15 +1000
commit42e7020281d3ae260e1e9693495f527b7f476625 (patch)
tree83fcbcc03ec549cd8fc5dd57f4b4d319c38c9ebc /scripts/libmakepkg/integrity
parent0994893b0e6b627d45a63884ac01af7d0967eff2 (diff)
downloadpacman-42e7020281d3ae260e1e9693495f527b7f476625.tar.xz
libmakepkg/integrity: Verify file signatures in a separate function
This makes it easier to add signature verification for new protos. Signed-off-by: Eli Schwartz <eschwartz93@gmail.com> Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'scripts/libmakepkg/integrity')
-rw-r--r--scripts/libmakepkg/integrity/verify_signature.sh.in84
1 files changed, 46 insertions, 38 deletions
diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in
index c5743f58..bbf18e87 100644
--- a/scripts/libmakepkg/integrity/verify_signature.sh.in
+++ b/scripts/libmakepkg/integrity/verify_signature.sh.in
@@ -32,7 +32,7 @@ check_pgpsigs() {
msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
- local file ext decompress found pubkey success status fingerprint trusted
+ local netfile pubkey success status fingerprint trusted
local warning=0
local errors=0
local statusfile=$(mktemp)
@@ -46,44 +46,9 @@ check_pgpsigs() {
get_all_sources_for_arch 'all_sources'
;;
esac
- for file in "${all_sources[@]}"; do
- file="$(get_filename "$file")"
- if [[ $file != *.@(sig?(n)|asc) ]]; then
- continue
- fi
+ for netfile in "${all_sources[@]}"; do
+ verify_file_signature "$netfile" "$statusfile" || continue
- printf " %s ... " "${file%.*}" >&2
-
- if ! file="$(get_filepath "$file")"; then
- printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2
- errors=1
- continue
- fi
-
- found=0
- for ext in "" gz bz2 xz lrz lzo Z; do
- if sourcefile="$(get_filepath "${file%.*}${ext:+.$ext}")"; then
- found=1
- break;
- fi
- done
- if (( ! found )); then
- printf '%s\n' "$(gettext "SOURCE FILE NOT FOUND")" >&2
- errors=1
- continue
- fi
-
- case "$ext" in
- gz) decompress="gzip -c -d -f" ;;
- bz2) decompress="bzip2 -c -d -f" ;;
- xz) decompress="xz -c -d" ;;
- lrz) decompress="lrzip -q -d" ;;
- lzo) decompress="lzop -c -d -q" ;;
- Z) decompress="uncompress -c -f" ;;
- "") decompress="cat" ;;
- esac
-
- $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
# these variables are assigned values in parse_gpg_statusfile
success=0
status=
@@ -145,6 +110,49 @@ check_pgpsigs() {
fi
}
+verify_file_signature() {
+ local netfile="$1" statusfile="$2"
+ local file ext decompress found sourcefile
+
+ file="$(get_filename "$netfile")"
+ if [[ $file != *.@(sig?(n)|asc) ]]; then
+ return 1
+ fi
+
+ printf " %s ... " "${file%.*}" >&2
+
+ if ! file="$(get_filepath "$netfile")"; then
+ printf '%s\n' "$(gettext "SIGNATURE NOT FOUND")" >&2
+ errors=1
+ return 1
+ fi
+
+ found=0
+ for ext in "" gz bz2 xz lrz lzo Z; do
+ if sourcefile="$(get_filepath "${file%.*}${ext:+.$ext}")"; then
+ found=1
+ break;
+ fi
+ done
+ if (( ! found )); then
+ printf '%s\n' "$(gettext "SOURCE FILE NOT FOUND")" >&2
+ errors=1
+ return 1
+ fi
+
+ case "$ext" in
+ gz) decompress="gzip -c -d -f" ;;
+ bz2) decompress="bzip2 -c -d -f" ;;
+ xz) decompress="xz -c -d" ;;
+ lrz) decompress="lrzip -q -d" ;;
+ lzo) decompress="lzop -c -d -q" ;;
+ Z) decompress="uncompress -c -f" ;;
+ "") decompress="cat" ;;
+ esac
+
+ $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null
+}
+
parse_gpg_statusfile() {
local type arg1 arg6 arg10