Skip to content

Commit b0df500

Browse files
hardingharding
committed
Update gpg.sh to upstream version
Current as of bitcoin/bitcoin be992701b018f256db6d64786624be4cb60d8975
1 parent a52681c commit b0df500

File tree

1 file changed

+11
-5
lines changed

1 file changed

+11
-5
lines changed

contrib/verify-commits/gpg.sh

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,13 +3,14 @@
33
# Distributed under the MIT software license, see the accompanying
44
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
55

6+
export LC_ALL=C
67
INPUT=$(cat /dev/stdin)
78
VALID=false
89
REVSIG=false
910
IFS='
1011
'
1112
if [ "$BITCOIN_VERIFY_COMMITS_ALLOW_SHA1" = 1 ]; then
12-
GPG_RES="$(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null)"
13+
GPG_RES="$(printf '%s\n' "$INPUT" | gpg --trust-model always "$@" 2>/dev/null)"
1314
else
1415
# Note how we've disabled SHA1 with the --weak-digest option, disabling
1516
# signatures - including selfsigs - that use SHA1. While you might think that
@@ -24,15 +25,15 @@ else
2425
case "$LINE" in
2526
"gpg (GnuPG) 1.4.1"*|"gpg (GnuPG) 2.0."*)
2627
echo "Please upgrade to at least gpg 2.1.10 to check for weak signatures" > /dev/stderr
27-
GPG_RES="$(echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null)"
28+
GPG_RES="$(printf '%s\n' "$INPUT" | gpg --trust-model always "$@" 2>/dev/null)"
2829
;;
2930
# We assume if you're running 2.1+, you're probably running 2.1.10+
3031
# gpg will fail otherwise
3132
# We assume if you're running 1.X, it is either 1.4.1X or 1.4.20+
3233
# gpg will fail otherwise
3334
esac
3435
done
35-
[ "$GPG_RES" = "" ] && GPG_RES="$(echo "$INPUT" | gpg --trust-model always --weak-digest sha1 "$@" 2>/dev/null)"
36+
[ "$GPG_RES" = "" ] && GPG_RES="$(printf '%s\n' "$INPUT" | gpg --trust-model always --weak-digest sha1 "$@" 2>/dev/null)"
3637
fi
3738
for LINE in $(echo "$GPG_RES"); do
3839
case "$LINE" in
@@ -46,14 +47,19 @@ for LINE in $(echo "$GPG_RES"); do
4647
REVSIG=true
4748
GOODREVSIG="[GNUPG:] GOODSIG ${LINE#* * *}"
4849
;;
50+
"[GNUPG:] EXPKEYSIG "*)
51+
[ "$BITCOIN_VERIFY_COMMITS_ALLOW_REVSIG" != 1 ] && exit 1
52+
REVSIG=true
53+
GOODREVSIG="[GNUPG:] GOODSIG ${LINE#* * *}"
54+
;;
4955
esac
5056
done
5157
if ! $VALID; then
5258
exit 1
5359
fi
5460
if $VALID && $REVSIG; then
55-
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)"
61+
printf '%s\n' "$INPUT" | gpg --trust-model always "$@" 2>/dev/null | grep "^\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)"
5662
echo "$GOODREVSIG"
5763
else
58-
echo "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
64+
printf '%s\n' "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
5965
fi

0 commit comments

Comments
 (0)