[gentoo-commits] proj/portage:master commit in: bin/

Wed, 18 Jun 2025 13:01:44 -0700 

commit:     1c27f4e482690f605e852f5e2b5312254b6c619f
Author:     Kerin Millar <kfm <AT> plushkava <DOT> net>
AuthorDate: Wed Jun 18 10:15:23 2025 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Jun 18 20:00:58 2025 +0000
URL:        https://gitweb.gentoo.org/proj/portage.git/commit/?id=1c27f4e4

emerge-webrsync: let check_file_signature() be responsible for dying

The check_file_signature() function acts as an adapter that invokes
check_file_signature_gemato() and/or check_file_signature_unwrapped() in
turn. As such, it contains code to check their return values and invoke
die() if necessary. However, this code is never reached because both of
the wrapped functions invoke die() of their own volition.

Address this issue by removing the redundant error-handling code from
both of the wrapped functions and allowing for check_file_signature() to
perform the error handling, as was originally intended.

Additionally, improve the diagnostic message by incorporating the
basename of the file for which validation has failed. The following
sample output depicts this change.

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DCD0 5B71 EAB9 4199 527F  44AC DB6B 8C1F 96D8 BF6D
     Subkey fingerprint: E1D6 ABB6 3BFC FB4B A02F  DF1C EC59 0EEA C918 9250
emerge-webrsync: signature verification failed for 'gentoo-20250617.tar.xz'

Signed-off-by: Kerin Millar <kfm <AT> plushkava.net>
Signed-off-by: Sam James <sam <AT> gentoo.org>

 bin/emerge-webrsync | 20 ++++++--------------
 1 file changed, 6 insertions(+), 14 deletions(-)

diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync
index 90ee167a8e..ed4825ef95 100755
--- a/bin/emerge-webrsync
+++ b/bin/emerge-webrsync
@@ -274,12 +274,7 @@ check_file_signature_gemato() {
                (( opt[quiet] )) && gemato_args+=( --quiet )
                (( opt[debug] )) && gemato_args+=( --debug )
 
-               if ! gemato "${gemato_args[@]}" -- "${signature}" "${file}"; 
then
-                       # Exit early since it's typically inappropriate to try
-                       # other mirrors in this case (it may indicate a keyring
-                       # problem).
-                       die "signature verification failed"
-               fi
+               gemato "${gemato_args[@]}" -- "${signature}" "${file}"
        fi
 }
 
@@ -313,12 +308,7 @@ check_file_signature_gpg_unwrapped() {
                die "gpgdir is not writable: ${GNUPGHOME}"
        fi
 
-       if ! gpg_verify "${signature}" "${file}"; then
-               # Exit early since it's typically inappropriate to try
-               # other mirrors in this case (it may indicate a keyring
-               # problem).
-               die "signature verification failed"
-       fi
+       gpg_verify "${signature}" "${file}"
 }
 
 gpg_fingerprint() {
@@ -364,8 +354,10 @@ check_file_signature() {
        esac
 
        if (( ${r=$?} != 0 )); then
-               eerror "Error occurred in check_file_signature: ${r}. Aborting."
-               die "Verification error occured."
+               # Exit early since it's typically inappropriate to try other
+               # mirrors in this case (it may indicate a keyring problem).
+               file=${file##*/}
+               die "signature verification failed for ${file@Q}"
        fi
 }

Reply via email to