Blame SOURCES/gpgverify

1a4d1d
#!/bin/bash
1a4d1d
1a4d1d
# Copyright 2018 B. Persson, Bjorn@Rombobeorn.se
1a4d1d
#
1a4d1d
# This material is provided as is, with absolutely no warranty expressed
1a4d1d
# or implied. Any use is at your own risk.
1a4d1d
#
1a4d1d
# Permission is hereby granted to use or copy this shellscript
1a4d1d
# for any purpose, provided the above notices are retained on all copies.
1a4d1d
# Permission to modify the code and to distribute modified code is granted,
1a4d1d
# provided the above notices are retained, and a notice that the code was
1a4d1d
# modified is included with the above copyright notice.
1a4d1d
1a4d1d
1a4d1d
function print_help {
1a4d1d
    cat <<'EOF'
1a4d1d
Usage: gpgverify --keyring=<pathname> --signature=<pathname> --data=<pathname>
1a4d1d
1a4d1d
gpgverify is a wrapper around gpgv designed for easy and safe scripting. It
1a4d1d
verifies a file against a detached OpenPGP signature and a keyring. The keyring
1a4d1d
shall contain all the keys that are trusted to certify the authenticity of the
1a4d1d
file, and must not contain any untrusted keys.
1a4d1d
1a4d1d
The differences, compared to invoking gpgv directly, are that gpgverify accepts
1a4d1d
the keyring in either ASCII-armored or unarmored form, and that it will not
1a4d1d
accidentally use a default keyring in addition to the specified one.
1a4d1d
1a4d1d
Parameters:
1a4d1d
  --keyring=<pathname>    keyring with all the trusted keys and no others
1a4d1d
  --signature=<pathname>  detached signature to verify
1a4d1d
  --data=<pathname>       file to verify against the signature
1a4d1d
EOF
1a4d1d
}
1a4d1d
1a4d1d
1a4d1d
fatal_error() {
1a4d1d
    message="$1"  # an error message
1a4d1d
    status=$2     # a number to use as the exit code
1a4d1d
    echo "gpgverify: $message" >&2
1a4d1d
    exit $status
1a4d1d
}
1a4d1d
1a4d1d
1a4d1d
require_parameter() {
1a4d1d
    term="$1"   # a term for a required parameter
1a4d1d
    value="$2"  # Complain and terminate if this value is empty.
1a4d1d
    if test -z "${value}" ; then
1a4d1d
        fatal_error "No ${term} was provided." 2
1a4d1d
    fi
1a4d1d
}
1a4d1d
1a4d1d
1a4d1d
check_status() {
1a4d1d
    action="$1"  # a string that describes the action that was attempted
1a4d1d
    status=$2    # the exit code of the command
1a4d1d
    if test $status -ne 0 ; then
1a4d1d
        fatal_error "$action failed." $status
1a4d1d
    fi
1a4d1d
}
1a4d1d
1a4d1d
1a4d1d
# Parse the command line.
1a4d1d
keyring=
1a4d1d
signature=
1a4d1d
data=
1a4d1d
for parameter in "$@" ; do
1a4d1d
    case "${parameter}" in
1a4d1d
        (--help)
1a4d1d
            print_help
1a4d1d
            exit
1a4d1d
            ;;
1a4d1d
        (--keyring=*)
1a4d1d
            keyring="${parameter#*=}"
1a4d1d
            ;;
1a4d1d
        (--signature=*)
1a4d1d
            signature="${parameter#*=}"
1a4d1d
            ;;
1a4d1d
        (--data=*)
1a4d1d
            data="${parameter#*=}"
1a4d1d
            ;;
1a4d1d
        (*)
1a4d1d
            fatal_error "Unknown parameter: \"${parameter}\"" 2
1a4d1d
            ;;
1a4d1d
    esac
1a4d1d
done
1a4d1d
require_parameter 'keyring' "${keyring}"
1a4d1d
require_parameter 'signature' "${signature}"
1a4d1d
require_parameter 'data file' "${data}"
1a4d1d
1a4d1d
# Make a temporary working directory.
1a4d1d
workdir="$(mktemp --directory)"
1a4d1d
check_status 'Making a temporary directory' $?
1a4d1d
workring="${workdir}/keyring.gpg"
1a4d1d
1a4d1d
# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't
1a4d1d
# ASCII-armored.
1a4d1d
gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}"
1a4d1d
check_status 'Decoding the keyring' $?
1a4d1d
1a4d1d
# Verify the signature using the decoded keyring.
1a4d1d
gpgv2 --homedir="${workdir}" --keyring="${workring}" "${signature}" "${data}"
1a4d1d
check_status 'Signature verification' $?
1a4d1d
1a4d1d
# (--homedir isn't actually necessary. --dearmor processes only the input file,
1a4d1d
# and if --keyring is used and contains a slash, then gpgv2 uses only that
1a4d1d
# keyring. Thus neither command will look for a default keyring, but --homedir
1a4d1d
# makes extra double sure that no default keyring will be touched in case
1a4d1d
# another version of GPG works differently.)
1a4d1d
1a4d1d
# Clean up. (This is not done in case of an error that may need inspection.)
1a4d1d
rm --recursive --force ${workdir}