diff options
| author | Guillem Jover <guillem@debian.org> | 2019-05-01 23:20:38 +0200 |
|---|---|---|
| committer | Guillem Jover <guillem@debian.org> | 2019-10-12 16:37:22 +0200 |
| commit | 139dfc4c78593d995610c0aa180300a9a7dd94ac (patch) | |
| tree | 866278246c9441a2930d7bcdd9c255144aaf6d03 /scripts | |
| parent | 1973a0789cea5ac0e7da10a81cc5cca8384200df (diff) | |
| download | dpkg-139dfc4c78593d995610c0aa180300a9a7dd94ac.tar.gz | |
Dpkg::OpenPGP: Refactor signature verification into a new function
Diffstat (limited to 'scripts')
| -rw-r--r-- | scripts/Dpkg/OpenPGP.pm | 40 | ||||
| -rw-r--r-- | scripts/Dpkg/Source/Package.pm | 47 |
2 files changed, 49 insertions, 38 deletions
diff --git a/scripts/Dpkg/OpenPGP.pm b/scripts/Dpkg/OpenPGP.pm index f719e6e4e..234c90a4d 100644 --- a/scripts/Dpkg/OpenPGP.pm +++ b/scripts/Dpkg/OpenPGP.pm @@ -18,6 +18,7 @@ package Dpkg::OpenPGP; use strict; use warnings; +use POSIX qw(:sys_wait_h); use Exporter qw(import); use File::Copy; @@ -80,4 +81,43 @@ sub openpgp_sig_to_asc return; } +sub verify_signature { + my ($sig, %opts) = @_; + + $opts{require_valid_signature} //= 1; + + my @exec; + if (find_command('gpgv')) { + push @exec, 'gpgv'; + } elsif (find_command('gpg')) { + push @exec, 'gpg', '--no-default-keyring', '-q', '--verify'; + } elsif ($opts{require_valid_signature}) { + error(g_('cannot verify signature on %s since GnuPG is not installed'), + $sig); + } else { + warning(g_('cannot verify signature on %s since GnuPG is not installed'), + $sig); + return; + } + foreach my $keyring (@{$opts{keyrings}}) { + push @exec, '--keyring', $keyring; + } + push @exec, $sig; + + my ($stdout, $stderr); + spawn(exec => \@exec, wait_child => 1, nocheck => 1, timeout => 10, + to_string => \$stdout, error_to_string => \$stderr); + if (WIFEXITED($?)) { + my $status = WEXITSTATUS($?); + print { *STDERR } "$stdout$stderr" if $status; + if ($status == 1 or ($status && $opts{require_valid_signature})) { + error(g_('failed to verify signature on %s'), $sig); + } elsif ($status) { + warning(g_('failed to verify signature on %s'), $sig); + } + } else { + subprocerr("@exec"); + } +} + 1; diff --git a/scripts/Dpkg/Source/Package.pm b/scripts/Dpkg/Source/Package.pm index e800a6392..e7c4fb22d 100644 --- a/scripts/Dpkg/Source/Package.pm +++ b/scripts/Dpkg/Source/Package.pm @@ -58,6 +58,7 @@ use Dpkg::Path qw(check_files_are_the_same find_command); use Dpkg::IPC; use Dpkg::Vendor qw(run_vendor_hook); use Dpkg::Source::Format; +use Dpkg::OpenPGP; my $diff_ignore_default_regex = ' # Ignore general backup files @@ -427,48 +428,18 @@ then any problem will result in a fatal error. sub check_signature { my $self = shift; my $dsc = $self->get_filename(); - my @exec; + my @keyrings; - if (find_command('gpgv')) { - push @exec, 'gpgv'; - } elsif (find_command('gpg')) { - push @exec, 'gpg', '--no-default-keyring', '-q', '--verify'; + if (length $ENV{HOME} and -r "$ENV{HOME}/.gnupg/trustedkeys.gpg") { + push @keyrings, "$ENV{HOME}/.gnupg/trustedkeys.gpg"; } - if (scalar(@exec)) { - if (length $ENV{HOME} and -r "$ENV{HOME}/.gnupg/trustedkeys.gpg") { - push @exec, '--keyring', "$ENV{HOME}/.gnupg/trustedkeys.gpg"; - } - foreach my $vendor_keyring (run_vendor_hook('package-keyrings')) { - if (-r $vendor_keyring) { - push @exec, '--keyring', $vendor_keyring; - } - } - push @exec, $dsc; - - my ($stdout, $stderr); - spawn(exec => \@exec, wait_child => 1, nocheck => 1, - to_string => \$stdout, error_to_string => \$stderr, - timeout => 10); - if (WIFEXITED($?)) { - my $gpg_status = WEXITSTATUS($?); - print { *STDERR } "$stdout$stderr" if $gpg_status; - if ($gpg_status == 1 or ($gpg_status && - $self->{options}{require_valid_signature})) - { - error(g_('failed to verify signature on %s'), $dsc); - } elsif ($gpg_status) { - warning(g_('failed to verify signature on %s'), $dsc); - } - } else { - subprocerr("@exec"); - } - } else { - if ($self->{options}{require_valid_signature}) { - error(g_('cannot verify signature on %s since GnuPG is not installed'), $dsc); - } else { - warning(g_('cannot verify signature on %s since GnuPG is not installed'), $dsc); + foreach my $vendor_keyring (run_vendor_hook('package-keyrings')) { + if (-r $vendor_keyring) { + push @keyrings, $vendor_keyring; } } + + Dpkg::OpenPGP::verify_signature($dsc, keyrings => \@keyrings); } sub describe_cmdline_options { |