X-Git-Url: https://git.decadent.org.uk/gitweb/?a=blobdiff_plain;f=daklib%2Fgpg.py;h=3f96c60942dc284caf166fd140e9d4162270ad09;hb=fff9d5d7917923ff2b4b327f5084ffda8096eb62;hp=828bf64906278f86db0aa13547b91356c0ba6568;hpb=9eff87cf703b5fe3310570ab30ff922e62f2957a;p=dak.git

diff --git a/daklib/gpg.py b/daklib/gpg.py
index 828bf649..3f96c609 100644
--- a/daklib/gpg.py
+++ b/daklib/gpg.py
@@ -78,8 +78,11 @@ class SignedFile(object):
         self.keyrings = keyrings
 
         self.valid = False
+        self.expired = False
+        self.invalid = False
         self.fingerprint = None
         self.primary_fingerprint = None
+        self.signature_id = None
 
         self._verify(data, require_signature)
 
@@ -112,6 +115,9 @@ class SignedFile(object):
                 for line in self.status.splitlines():
                     self._parse_status(line)
 
+                if self.invalid:
+                    self.valid = False
+
                 if require_signature and not self.valid:
                     raise GpgException("No valid signature found. (GPG exited with status code %s)\n%s" % (exit_code, self.stderr))
 
@@ -163,23 +169,43 @@ class SignedFile(object):
         #             <expire-timestamp> <sig-version> <reserved> <pubkey-algo>
         #             <hash-algo> <sig-class> <primary-key-fpr>
         if fields[1] == "VALIDSIG":
+            if self.fingerprint is not None:
+                raise GpgException("More than one signature is not (yet) supported.")
             self.valid = True
             self.fingerprint = fields[2]
             self.primary_fingerprint = fields[11]
             self.signature_timestamp = self._parse_date(fields[3])
 
-        if fields[1] == "BADARMOR":
+        elif fields[1] == "BADARMOR":
             raise GpgException("Bad armor.")
 
-        if fields[1] == "NODATA":
+        elif fields[1] == "NODATA":
             raise GpgException("No data.")
 
-        if fields[1] == "DECRYPTION_FAILED":
+        elif fields[1] == "DECRYPTION_FAILED":
             raise GpgException("Decryption failed.")
 
-        if fields[1] == "ERROR":
+        elif fields[1] == "ERROR":
             raise GpgException("Other error: %s %s" % (fields[2], fields[3]))
 
+        elif fields[1] == "SIG_ID":
+            if self.signature_id is not None:
+                raise GpgException("More than one signature id.")
+            self.signature_id = fields[2]
+
+        elif fields[1] in ('PLAINTEXT', 'GOODSIG'):
+            pass
+
+        elif fields[1] in ('EXPSIG', 'EXPKEYSIG'):
+            self.expired = True
+            self.invalid = True
+
+        elif fields[1] in ('REVKEYSIG', 'BADSIG', 'ERRSIG'):
+            self.invalid = True
+
+        else:
+            raise GpgException("Keyword '{0}' from GnuPG was not expected.".format(fields[1]))
+
     def _exec_gpg(self, stdin, stdout, stderr, statusfd):
         try:
             if stdin != 0:
@@ -195,7 +221,12 @@ class SignedFile(object):
                 fcntl.fcntl(fd, fcntl.F_SETFD, old & ~fcntl.FD_CLOEXEC)
             os.closerange(4, _MAXFD)
 
-            args = [self.gpg, "--status-fd=3", "--no-default-keyring"]
+            args = [self.gpg,
+                    "--status-fd=3",
+                    "--no-default-keyring",
+                    "--batch",
+                    "--no-tty",
+                    "--trust-model", "always"]
             for k in self.keyrings:
                 args.append("--keyring=%s" % k)
             args.extend(["--decrypt", "-"])