From f32a264796b3b43662b4734f1730d7a819d32484 Mon Sep 17 00:00:00 2001 From: Levente Polyak Date: Thu, 19 Sep 2019 20:58:00 +0200 Subject: commitpkg: prefer explicit signature+data parameters for gpg --verify Lets prefer the explicit variant of gpg --verify by providing both, the signature and the data file as parameters. For the unlikely case there is a matching signature file already present that was created outside of the toolchain and has an embedded signature with data, we at least could detect it early with this check. Signed-off-by: Levente Polyak --- commitpkg.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/commitpkg.in b/commitpkg.in index d55ce37..31b2443 100644 --- a/commitpkg.in +++ b/commitpkg.in @@ -162,8 +162,8 @@ for _arch in "${arch[@]}"; do fi gpg --detach-sign --use-agent --no-armor "${SIGNWITHKEY[@]}" "${pkgfile}" || die fi - if ! gpg --verify "$sigfile" >/dev/null 2>&1; then - die "Signature %s.sig is incorrect!" "$pkgfile" + if ! gpg --verify "$sigfile" "$pkgfile" >/dev/null 2>&1; then + die "Signature %s is incorrect!" "$sigfile" fi uploads+=("$sigfile") done -- cgit v1.2.3-70-g09d2