| Message ID | 20171122043447.13946-1-eschwartz@archlinux.org |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | [pacman-dev,1/2] libmakepkg/integrity: fix regression that broke invalid file sigs | expand |
On 22/11/17 14:34, Eli Schwartz wrote: > In 42e7020281d3ae260e1e9693495f527b7f476625 creating the gpg statusfile > for a source file was split into a separate function, which used the > return code to indicate unsigned files and proto-specific errors. > However, the fallback return code was set by the final gpg invocation, > which would be 1 if the signature was somehow broken (for example, the > key was not available in the gpg keyring). As a result makepkg thought > that file did not have a signature and skipped over it rather than > erroring out. > > Fix this by explicitly setting the return code for all > verify_*_signature() functions. > OK
diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in index 24519dbe..add7f75d 100644 --- a/scripts/libmakepkg/integrity/verify_signature.sh.in +++ b/scripts/libmakepkg/integrity/verify_signature.sh.in @@ -157,6 +157,7 @@ verify_file_signature() { esac $decompress < "$sourcefile" | gpg --quiet --batch --status-file "$statusfile" --verify "$file" - 2> /dev/null + return 0 } verify_git_signature() { @@ -193,6 +194,7 @@ verify_git_signature() { errors=1 return 1 fi + return 0 } parse_gpg_statusfile() {
In 42e7020281d3ae260e1e9693495f527b7f476625 creating the gpg statusfile for a source file was split into a separate function, which used the return code to indicate unsigned files and proto-specific errors. However, the fallback return code was set by the final gpg invocation, which would be 1 if the signature was somehow broken (for example, the key was not available in the gpg keyring). As a result makepkg thought that file did not have a signature and skipped over it rather than erroring out. Fix this by explicitly setting the return code for all verify_*_signature() functions. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- I noticed this when building a package with pacman-git on a new laptop that did not yet have "auto-key-retrieve" in gpg.conf, fun stuff. scripts/libmakepkg/integrity/verify_signature.sh.in | 2 ++ 1 file changed, 2 insertions(+)