From 899d39b635d46f9e2daff1aada75ea07f08fef64 Mon Sep 17 00:00:00 2001 From: Eli Schwartz Date: Mon, 8 Jun 2020 21:59:18 -0400 Subject: makepkg/repo-add: handle GPGKEY with spaces We pass this to gpg -u and this gpg option can accept a number of different formats, not just the historical hexadecimal fingerprint we assumed. We should not barf hard if a format is used which happens to contain spaces. This also fixes a validation bug. When we initially check if the desired key is available, we don't quote spaces, so gpg goes ahead and treats each space-separated string as a *different key* to search for, returning partial matches, and returning success if at least one key is found. But gpg --detach-sign -u will certainly not accept multiple keys! Fixes FS#66949 Signed-off-by: Eli Schwartz Signed-off-by: Allan McRae --- scripts/libmakepkg/integrity/generate_signature.sh.in | 6 +++--- scripts/makepkg.sh.in | 2 +- scripts/repo-add.sh.in | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) (limited to 'scripts') diff --git a/scripts/libmakepkg/integrity/generate_signature.sh.in b/scripts/libmakepkg/integrity/generate_signature.sh.in index aec96c03..748087c2 100644 --- a/scripts/libmakepkg/integrity/generate_signature.sh.in +++ b/scripts/libmakepkg/integrity/generate_signature.sh.in @@ -29,12 +29,12 @@ create_signature() { local ret=0 local filename="$1" - local SIGNWITHKEY="" + local SIGNWITHKEY=() if [[ -n $GPGKEY ]]; then - SIGNWITHKEY="-u ${GPGKEY}" + SIGNWITHKEY=(-u "${GPGKEY}") fi - gpg --detach-sign --use-agent ${SIGNWITHKEY} --no-armor "$filename" &>/dev/null || ret=$? + gpg --detach-sign --use-agent "${SIGNWITHKEY[@]}" --no-armor "$filename" &>/dev/null || ret=$? if (( ! ret )); then diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index caf809f3..0de77c0c 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1286,7 +1286,7 @@ fi # check if gpg signature is to be created and if signing key is valid if { [[ -z $SIGNPKG ]] && check_buildenv "sign" "y"; } || [[ $SIGNPKG == 'y' ]]; then SIGNPKG='y' - if ! gpg --list-key ${GPGKEY} &>/dev/null; then + if ! gpg --list-key ${GPGKEY:+"$GPGKEY"} &>/dev/null; then if [[ ! -z $GPGKEY ]]; then error "$(gettext "The key %s does not exist in your keyring.")" "${GPGKEY}" else diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in index 545c2929..272d8d22 100644 --- a/scripts/repo-add.sh.in +++ b/scripts/repo-add.sh.in @@ -137,7 +137,7 @@ check_gpg() { fi if (( ! VERIFY )); then - if ! gpg --list-key ${GPGKEY} &>/dev/null; then + if ! gpg --list-key ${GPGKEY:+"$GPGKEY"} &>/dev/null; then if [[ ! -z $GPGKEY ]]; then error "$(gettext "The key ${GPGKEY} does not exist in your keyring.")" elif (( ! KEY )); then @@ -155,11 +155,11 @@ create_signature() { local ret=0 msg "$(gettext "Signing database '%s'...")" "${dbfile##*/.tmp.}" - local SIGNWITHKEY="" + local SIGNWITHKEY=() if [[ -n $GPGKEY ]]; then - SIGNWITHKEY="-u ${GPGKEY}" + SIGNWITHKEY=(-u "${GPGKEY}") fi - gpg --detach-sign --use-agent --no-armor ${SIGNWITHKEY} "$dbfile" &>/dev/null || ret=$? + gpg --detach-sign --use-agent --no-armor "${SIGNWITHKEY[@]}" "$dbfile" &>/dev/null || ret=$? if (( ! ret )); then msg2 "$(gettext "Created signature file '%s'")" "${dbfile##*/.tmp.}.sig" -- cgit v1.2.3-54-g00ecf