summaryrefslogtreecommitdiff
path: root/commitpkg.in
diff options
context:
space:
mode:
authorLevente Polyak <anthraxx@archlinux.org>2019-09-19 20:58:00 +0200
committerLevente Polyak <anthraxx@archlinux.org>2019-09-28 00:16:07 +0200
commitf32a264796b3b43662b4734f1730d7a819d32484 (patch)
tree26b5aafd30be05bc870cb104bddf02b62e9bd331 /commitpkg.in
parentfd6e801cfb0910c00a789c6b3f17461d8610c99b (diff)
downloaddevtools-f32a264796b3b43662b4734f1730d7a819d32484.tar.xz
commitpkg: prefer explicit signature+data parameters for gpg --verify
Lets prefer the explicit variant of gpg --verify by providing both, the signature and the data file as parameters. For the unlikely case there is a matching signature file already present that was created outside of the toolchain and has an embedded signature with data, we at least could detect it early with this check. Signed-off-by: Levente Polyak <anthraxx@archlinux.org>
Diffstat (limited to 'commitpkg.in')
-rw-r--r--commitpkg.in4
1 files changed, 2 insertions, 2 deletions
diff --git a/commitpkg.in b/commitpkg.in
index d55ce37..31b2443 100644
--- a/commitpkg.in
+++ b/commitpkg.in
@@ -162,8 +162,8 @@ for _arch in "${arch[@]}"; do
fi
gpg --detach-sign --use-agent --no-armor "${SIGNWITHKEY[@]}" "${pkgfile}" || die
fi
- if ! gpg --verify "$sigfile" >/dev/null 2>&1; then
- die "Signature %s.sig is incorrect!" "$pkgfile"
+ if ! gpg --verify "$sigfile" "$pkgfile" >/dev/null 2>&1; then
+ die "Signature %s is incorrect!" "$sigfile"
fi
uploads+=("$sigfile")
done