fetch-release: export GNUPGHOME

This approach is less error-prone.
It is also used by our fetcher scripts.
This commit is contained in:
Erik Arvstedt 2022-02-03 20:46:29 +01:00
parent 397b372cf3
commit d41a550355
No known key found for this signature in database
GPG Key ID: 33312B944DD97846

View File

@ -14,15 +14,15 @@ fi
TMPDIR=$(mktemp -d)
trap "rm -rf $TMPDIR" EXIT
GPG_HOME=$TMPDIR/gpg-home
mkdir -p -m 700 "$GPG_HOME"
export GNUPGHOME=$TMPDIR/gpg-home
mkdir -p -m 700 "$GNUPGHOME"
# Import key
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null
# Check that exactly one key was imported
(($(gpg --homedir $GPG_HOME --list-keys --with-colons | grep -c pub) == 1))
(($(gpg --list-keys --with-colons | grep -c pub) == 1))
# Verify key fingerprint
gpg --homedir $GPG_HOME --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
gpg --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
# Fetch nar-hash of release
cd $TMPDIR
@ -31,7 +31,7 @@ curl -s --show-error -L -O $baseUrl/nar-hash.txt
curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc
# Verify signature for nar-hash
gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || {
gpg --verify nar-hash.txt.asc &> /dev/null || {
>&2 echo "Error: Signature verification failed. Please open an issue in the project repository."
exit 1
}