forked from QubesOS/qubes-installer-qubes-os
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrpm_verify
executable file
·50 lines (38 loc) · 1.11 KB
/
rpm_verify
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/bin/sh
verify_rpm() {
RPM=$1
if ! [ -f $RPM ]; then
echo -n "No such file... "
return
fi
if ! rpm --checksig $RPM > /dev/null; then
echo "Wrong PGP signature on $RPM!"
exit 1
fi
# Even if rpm returns success (ret = 0) that doesn't
# mean that the rpm has been signed! It might simply
# have no PGP signature at all. Yes, stupidity...
if ! rpm --checksig $RPM | grep ' pgp ' > /dev/null ; then
if [ "$NO_SIGN" == "1" ] ; then
# When signing is disabed in qubes-builder
# This is used to build unsigned ISO
# This should only be used for testing builds
return 0
fi
echo "No PGP signature found!"
exit 2
fi
}
if [ $# -lt 1 ]; then
echo "Usage: $0 <rpm file>"
exit 1
fi
if [ -w /var/lib/rpm ]; then
# Make sure that the right Qubes release key is imported (in chroot)
rpm --import `dirname $0`/../qubes-release/RPM-GPG-KEY-qubes-*-primary
# installation image includes community templates too
rpm --import `dirname $0`/../qubes-release/RPM-GPG-KEY-qubes-*-templates-community
fi
for FILE in "$@"; do
verify_rpm $FILE || exit 1
done