fetch-release: export GNUPGHOME
This approach is less error-prone. It is also used by our fetcher scripts.
This commit is contained in:
Erik Arvstedt
parent
397b372cf3
commit
d41a550355
@ -14,15 +14,15 @@ fi
|
|||||||
TMPDIR=$(mktemp -d)
|
TMPDIR=$(mktemp -d)
|
||||||
trap "rm -rf $TMPDIR" EXIT
|
trap "rm -rf $TMPDIR" EXIT
|
||||||
|
|
||||||
GPG_HOME=$TMPDIR/gpg-home
|
export GNUPGHOME=$TMPDIR/gpg-home
|
||||||
mkdir -p -m 700 "$GPG_HOME"
|
mkdir -p -m 700 "$GNUPGHOME"
|
||||||
|
|
||||||
# Import key
|
# Import key
|
||||||
gpg --homedir $GPG_HOME --import "$scriptDir/key-jonasnick.bin" &> /dev/null
|
gpg --import "$scriptDir/key-jonasnick.bin" &> /dev/null
|
||||||
# Check that exactly one key was imported
|
# Check that exactly one key was imported
|
||||||
(($(gpg --homedir $GPG_HOME --list-keys --with-colons | grep -c pub) == 1))
|
(($(gpg --list-keys --with-colons | grep -c pub) == 1))
|
||||||
# Verify key fingerprint
|
# Verify key fingerprint
|
||||||
gpg --homedir $GPG_HOME --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
|
gpg --list-keys "36C7 1A37 C9D9 88BD E825 08D9 B1A7 0E4F 8DCD 0366" > /dev/null
|
||||||
|
|
||||||
# Fetch nar-hash of release
|
# Fetch nar-hash of release
|
||||||
cd $TMPDIR
|
cd $TMPDIR
|
||||||
@ -31,7 +31,7 @@ curl -s --show-error -L -O $baseUrl/nar-hash.txt
|
|||||||
curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc
|
curl -s --show-error -L -O $baseUrl/nar-hash.txt.asc
|
||||||
|
|
||||||
# Verify signature for nar-hash
|
# Verify signature for nar-hash
|
||||||
gpg --homedir $GPG_HOME --verify nar-hash.txt.asc &> /dev/null || {
|
gpg --verify nar-hash.txt.asc &> /dev/null || {
|
||||||
>&2 echo "Error: Signature verification failed. Please open an issue in the project repository."
|
>&2 echo "Error: Signature verification failed. Please open an issue in the project repository."
|
||||||
exit 1
|
exit 1
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user