Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Bächler <thomas@archlinux.org>2014-05-04 10:30:59 +0200
committerAllan McRae <allan@archlinux.org>2014-05-23 15:31:00 +1000
commitd174cc8943344a14330c8dce20941de303a44927 (patch)
treec46f95634d95fa87d1b58f1f8083ec7eb5b0ca6d
parent34ae6ce4e5a47b11b7fa55b94bc476f294b004bc (diff)
makepkg: Treat a signature from an untrusted key as an error
Signed-off-by: Allan McRae <allan@archlinux.org>
-rw-r--r--scripts/makepkg.sh.in36
1 files changed, 24 insertions, 12 deletions
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index aa2a2f3c..21bb289c 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -1283,6 +1283,12 @@ parse_gpg_statusfile() {
status="error"
fi
;;
+ TRUST_UNDEFINED|TRUST_NEVER)
+ trusted=0
+ ;;
+ TRUST_MARGINAL|TRUST_FULLY|TRUST_ULTIMATE)
+ trusted=1
+ ;;
esac
done < "$1"
}
@@ -1293,7 +1299,7 @@ check_pgpsigs() {
msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
- local file ext decompress found pubkey success status
+ local file ext decompress found pubkey success status trusted
local warning=0
local errors=0
local statusfile=$(mktemp)
@@ -1340,6 +1346,7 @@ check_pgpsigs() {
success=0
status=
pubkey=
+ trusted=
parse_gpg_statusfile "$statusfile"
if (( ! $success )); then
printf '%s' "$(gettext "FAILED")" >&2
@@ -1359,17 +1366,22 @@ check_pgpsigs() {
esac
errors=1
else
- printf '%s' "$(gettext "Passed")" >&2
- case "$status" in
- "expired")
- printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2
- warnings=1
- ;;
- "expiredkey")
- printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2
- warnings=1
- ;;
- esac
+ if (( ! $trusted )); then
+ printf "%s ($(gettext "the public key %s is not trusted"))" $(gettext "FAILED") "$pubkey" >&2
+ errors=1
+ else
+ printf '%s' "$(gettext "Passed")" >&2
+ case "$status" in
+ "expired")
+ printf ' (%s)' "$(gettext "WARNING:") $(gettext "the signature has expired.")" >&2
+ warnings=1
+ ;;
+ "expiredkey")
+ printf ' (%s)' "$(gettext "WARNING:") $(gettext "the key has expired.")" >&2
+ warnings=1
+ ;;
+ esac
+ fi
fi
printf '\n' >&2
done