If a distfile has multiple detached signatures, pass verification if at least one of them can be verified rather than requiring all of them. This is particularly helpful for upstreams where the whole set of release keys is hard to come by.
Closes: https://bugs.gentoo.org/873211 Signed-off-by: Michał Górny <mgo...@gentoo.org> --- eclass/verify-sig.eclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass index 95e8b357893a..2c8311db49f9 100644 --- a/eclass/verify-sig.eclass +++ b/eclass/verify-sig.eclass @@ -146,7 +146,7 @@ verify-sig_verify_detached() { # https://bugs.gentoo.org/854492 local -x TMPDIR=/tmp gemato openpgp-verify-detached -K "${key}" \ - "${extra_args[@]}" \ + "${extra_args[@]}" --no-require-all-good \ "${sig}" "${file}" || die "PGP signature verification failed" ;; -- 2.39.1
