2011-11-10 17:01:19 +00:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
verify_rpm() {
|
|
|
|
RPM=$1
|
|
|
|
|
2011-11-10 17:33:04 +00:00
|
|
|
if ! [ -f $RPM ]; then
|
|
|
|
echo -n "No such file... "
|
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
|
|
|
if ! rpm --checksig $RPM > /dev/null; then
|
2012-11-19 16:43:09 +00:00
|
|
|
echo "Wrong PGP signature on $RPM!"
|
2011-11-10 17:01:19 +00:00
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Even if rpm returns success (ret = 0) that doesn't
|
|
|
|
# mean that the rpm has been signed! It might simply
|
|
|
|
# have no PGP signature at all. Yes, stupidity...
|
|
|
|
|
2014-04-08 00:30:07 +00:00
|
|
|
if ! rpm --checksig $RPM | grep ' pgp ' > /dev/null ; then
|
2011-11-10 17:01:19 +00:00
|
|
|
if [ "$NO_SIGN" == "1" ] ; then
|
|
|
|
# When signing is disabed in qubes-builder
|
|
|
|
# This is used to build unsigned ISO
|
|
|
|
# This should only be used for testing builds
|
2011-11-28 22:05:51 +00:00
|
|
|
return 0
|
2011-11-10 17:01:19 +00:00
|
|
|
fi
|
|
|
|
|
2014-04-08 00:30:07 +00:00
|
|
|
echo "No PGP signature found!"
|
|
|
|
|
2011-11-10 17:01:19 +00:00
|
|
|
exit 2
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if [ $# -lt 1 ]; then
|
|
|
|
echo "Usage: $0 <rpm file>"
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
|
2014-11-20 20:24:50 +00:00
|
|
|
# Make sure that the right Qubes release key is imported (in chroot)
|
2014-11-22 00:10:24 +00:00
|
|
|
rpm --import `dirname $0`/qubes-release/RPM-GPG-KEY-qubes-*-primary
|
2014-11-20 20:24:50 +00:00
|
|
|
|
2011-11-10 17:01:19 +00:00
|
|
|
for FILE in "$@"; do
|
2012-11-19 16:43:09 +00:00
|
|
|
verify_rpm $FILE || exit 1
|
2011-11-10 17:01:19 +00:00
|
|
|
done
|
|
|
|
|