Martchus
/
devtools
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

commitpkg: prefer explicit signature+data parameters for gpg --verify 

Lets prefer the explicit variant of gpg --verify by providing both, the
signature and the data file as parameters.
For the unlikely case there is a matching signature file already present
that was created outside of the toolchain and has an embedded signature
with data, we at least could detect it early with this check.

Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
This commit is contained in:
Levente Polyak 2019-09-19 20:58:00 +02:00
parent fd6e801cfb
commit f32a264796
No known key found for this signature in database
GPG Key ID: FC1B547C8D8172C8
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
commitpkg.in
View File

@ -162,8 +162,8 @@ for _arch in "${arch[@]}"; do
fi
gpg --detach-sign --use-agent --no-armor "${SIGNWITHKEY[@]}" "${pkgfile}" || die
fi
if ! gpg --verify "$sigfile" >/dev/null 2>&1; then
die "Signature %s.sig is incorrect!" "$pkgfile"
if ! gpg --verify "$sigfile" "$pkgfile" >/dev/null 2>&1; then
die "Signature %s is incorrect!" "$sigfile"
fi
uploads+=("$sigfile")
done