Better gpg signature checking

59c7d6d6 · Ruben Rodriguez · 1469f142 · 59c7d6d6
Commit 59c7d6d6 authored 5 years ago by Ruben Rodriguez
--- a/helpers/config
+++ b/helpers/config
@@ -134,21 +134,16 @@ cd PACKAGES/$PACKAGE
 apt-get update -c $LOCAL_APT/etc/apt.conf
 apt-get source $PACKAGE --download-only -c ${LOCAL_APT}/etc/apt.conf
 # Verify it first
-#   Import the key for the package uploader
+if grep -q "BEGIN PGP SIGNATURE" *.dsc; then
-#   Use the one listed in the helper if available, otherwise download the one listed in the dsc
+  KEY=$(gpg2 --keyid-format 0xlong --verify  *.dsc  2>&1 | grep 0x | sed 's/.*0x//' || true)
-if [ "1$SIGNKEY" != "1" ] ; then
+  [ -z "$KEY" ] && KEY=$(gpgv --keyring ${LOCAL_APT}/etc/trusted.gpg *.dsc 2>&1 | egrep ".SA key" | sed 's/.*.SA key //' || true)
-  apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --recv-keys --keyserver hkps://keyserver.ubuntu.com:443 $SIGNKEY > /dev/null
+  apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --recv-keys --keyserver hkps://keyserver.ubuntu.com:443 $KEY > /dev/null
-  gpgv --keyring ${LOCAL_APT}/etc/trusted.gpg *.dsc
+  touch ${LOCAL_APT}/keyring.gpg
+  gpg2 --keyring ${LOCAL_APT}/keyring.gpg --import ${LOCAL_APT}/etc/trusted.gpg
+  gpg2 --verify --keyring ${LOCAL_APT}/etc/trusted.gpg *.dsc
 else
-  if grep -q "BEGIN PGP SIGNATURE" *.dsc; then
+  echo WARNING! The dsc file is not gpg signed!
-    KEY=$(gpgv --keyring ${LOCAL_APT}/etc/trusted.gpg *.dsc 2>&1 | grep "key ID" | sed 's/.*key ID //' || true)
+  [ -z "$EXTERNAL" ] && exit 1
-    [ -z "$KEY" ] && KEY=$(gpgv --keyring ${LOCAL_APT}/etc/trusted.gpg *.dsc 2>&1 | egrep ".SA key" | sed 's/.*.SA key //' || true)
-    apt-key --keyring ${LOCAL_APT}/etc/trusted.gpg adv --recv-keys --keyserver hkps://keyserver.ubuntu.com:443 $KEY > /dev/null
-    gpgv --keyring ${LOCAL_APT}/etc/trusted.gpg *.dsc
-  else
-    echo WARNING! The dsc file is not gpg signed!
-    [ -z "$EXTERNAL" ] && exit 1
-  fi
 fi
 dpkg-source --no-check -x --skip-patches *.dsc source