diff options
author | Levente Polyak <anthraxx@archlinux.org> | 2019-09-19 20:58:00 +0200 |
---|---|---|
committer | Levente Polyak <anthraxx@archlinux.org> | 2019-09-28 00:16:07 +0200 |
commit | f32a264796b3b43662b4734f1730d7a819d32484 (patch) | |
tree | 26b5aafd30be05bc870cb104bddf02b62e9bd331 | |
parent | fd6e801cfb0910c00a789c6b3f17461d8610c99b (diff) | |
download | devtools-f32a264796b3b43662b4734f1730d7a819d32484.tar.xz |
commitpkg: prefer explicit signature+data parameters for gpg --verify
Lets prefer the explicit variant of gpg --verify by providing both, the
signature and the data file as parameters.
For the unlikely case there is a matching signature file already present
that was created outside of the toolchain and has an embedded signature
with data, we at least could detect it early with this check.
Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
-rw-r--r-- | commitpkg.in | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/commitpkg.in b/commitpkg.in index d55ce37..31b2443 100644 --- a/commitpkg.in +++ b/commitpkg.in @@ -162,8 +162,8 @@ for _arch in "${arch[@]}"; do fi gpg --detach-sign --use-agent --no-armor "${SIGNWITHKEY[@]}" "${pkgfile}" || die fi - if ! gpg --verify "$sigfile" >/dev/null 2>&1; then - die "Signature %s.sig is incorrect!" "$pkgfile" + if ! gpg --verify "$sigfile" "$pkgfile" >/dev/null 2>&1; then + die "Signature %s is incorrect!" "$sigfile" fi uploads+=("$sigfile") done |