diff options
| author |   Robin H. Johnson <robbat2@gentoo.org> | 2024-01-28 22:21:25 -0800 |
|---|---|---|
| committer | Robin H. Johnson <robbat2@gentoo.org> | 2024-01-28 22:21:25 -0800 |
| commit | abe299444edee656d8fd9797b3f50db4c35a463e (patch) | |
| tree | aa1bc43b1291633b907a260a02633a404b238695 | |
| parent | verify-sigs: support any valid key from keys.gentoo.org (repos must opt-in) (diff) | |
| download | githooks-rjohnson/gpg-fixes-from-keyserver.tar.gz githooks-rjohnson/gpg-fixes-from-keyserver.tar.bz2 githooks-rjohnson/gpg-fixes-from-keyserver.zip | |
update-02-gpg: shellcheck fixesrjohnson/gpg-fixes-from-keyserver
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
| -rwxr-xr-x | local/update-02-gpg | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/local/update-02-gpg b/local/update-02-gpg index eea8c91..5ada4b5 100755 --- a/local/update-02-gpg +++ b/local/update-02-gpg @@ -14,14 +14,14 @@ if [ -z "${GIT_DIR}" ]; then exit 1 fi -if [ -z "${refname}" -o -z "${oldrev}" -o -z "${newrev}" ]; then +if [ -z "${refname}" ] || [ -z "${oldrev}" ] || [ -z "${newrev}" ]; then echo "usage: ${0} <ref> <oldrev> <newrev>" >&2 exit 1 fi # branch names or 'all', or 'all-refs' for all refs SIGNED_BRANCHES=$(git config --get gentoo.signed-branches) -: ${SIGNED_BRANCHES:=master} +: "${SIGNED_BRANCHES:=master}" VERIFY_SIGS=$(git config --get gentoo.verify-signatures) : "${VERIFY_SIGS:=gentoo-devs}" @@ -78,7 +78,7 @@ case ${VERIFY_SIGS} in ) EXPORT_CMD=( gpg -q - --export-options export-clean,no-export-local-sigs,no-export-attributes + --export-options 'export-clean,no-export-local-sigs,no-export-attributes' # keep-uid filter is not working in gnupg-2.4.3 or gnupg-2.2.41 #--export-filter 'keep-uid="uid =~ @gentoo.org"' --export @@ -86,7 +86,7 @@ case ${VERIFY_SIGS} in IMPORT_CMD=( gpg -q # no-self-sigs-only is needed to import the signature chain. - --import-options import-clean,no-import-local-sigs,no-keep-ownertrust,no-self-sigs-only + --import-options 'import-clean,no-import-local-sigs,no-keep-ownertrust,no-self-sigs-only' # keep-uid filter is not working in gnupg-2.4.3 or gnupg-2.2.41 #--import-filter 'keep-uid="uid =~ @gentoo.org"' --import @@ -100,8 +100,9 @@ case ${VERIFY_SIGS} in "${IMPORT_CMD[@]}" # use new GNUGPHOME to restrict to dev's keys + GNUPGHOME=${TMPHOME} export GNUPGHOME=${TMPHOME} - cat >>$GNUPGHOME/gpg.conf <<-EOF + cat >>"$GNUPGHOME"/gpg.conf <<-EOF # Explicitly set trust model; # git-2.43 does not recognize the always & direct trust model behavior # so it exports that the signatures came from an untrusted key @@ -110,7 +111,7 @@ case ${VERIFY_SIGS} in # And declare that the L1 key is trusted. # This could go into the trustdb file instead, but cleaner this way. for _k in "${CHAIN_L1[@]}" ; do - echo "trusted-key $_k" >> $GNUPGHOME/gpg.conf + echo "trusted-key $_k" >>"$GNUPGHOME"/gpg.conf done # If there are problems w/ the key export/import loop, or trust @@ -183,7 +184,7 @@ case ${SIGNED_BRANCHES} in [[ ${refname} == refs/heads/* ]] || exit 0 branch_found= for branch in ${SIGNED_BRANCHES}; do - if [[ ${refname#refs/heads/} == ${branch} ]]; then + if [[ ${refname#refs/heads/} == "${branch}" ]]; then branch_found=1 break fi |