gnupg: 'gnupg-verify*' returns a status symbol.

This allows callers to distinguish between signature verification failure and missing key. * guix/gnupg.scm (gnupg-receive-keys): Return true on success. (gnupg-verify*): Check return value of 'gnupg-receive-keys'. Return two values, the first one being a symbol. * guix/upstream.scm (download-tarball): Get the two return values of 'gnupg-verify*', and match on the first one. * gnu/packages/bash.scm (download-patches): Check the first return value of 'gnupg-verify*'.
author: Ludovic Courtès <ludo@gnu.org> 2019-12-20 21:49:43 +0100
committer: Ludovic Courtès <ludo@gnu.org> 2019-12-20 22:06:05 +0100
commit: f94f9d67e65975724ee5b5cbc936c0895a258685 (patch)
tree: 6f49826abce986fa03ae886ad120c42d7136cef6 /guix/upstream.scm
parent: 1101c73c7fb2e0dbba00b45c05bf36ae08bdb6f2 (diff)
download: patches-f94f9d67e65975724ee5b5cbc936c0895a258685.tar
patches-f94f9d67e65975724ee5b5cbc936c0895a258685.tar.gz
1 files changed, 14 insertions, 10 deletions
diff --git a/guix/upstream.scm b/guix/upstream.scm
index aa47dab4b4..c11de0b25b 100644
--- a/guix/upstream.scm
+++ b/guix/upstream.scm
@@ -318,16 +318,20 @@ values: 'interactive' (default), 'always', and 'never'."
                                                      (basename url) tarball)))
                              (mbegin %store-monad
                                (built-derivations (list drv))
-                               (return (derivation->output-path drv)))))))
-
-               (ret  (gnupg-verify* sig data #:key-download key-download)))
-          (if ret
-              tarball
-              (begin
-                (warning (G_ "signature verification failed for `~a'~%")
-                         url)
-                (warning (G_ "(could be because the public key is not in your keyring)~%"))
-                #f))))))
+                               (return (derivation->output-path drv))))))))
+          (let-values (((status data)
+                        (gnupg-verify* sig data #:key-download key-download)))
+            (match status
+              ('valid-signature
+               tarball)
+              ('invalid-signature
+               (warning (G_ "signature verification failed for '~a' (key: ~a)~%")
+                        url data)
+               #f)
+              ('missing-key
+               (warning (G_ "missing public key ~a for '~a'~%")
+                        data url)
+               #f)))))))
 
 (define (find2 pred lst1 lst2)
   "Like 'find', but operate on items from both LST1 and LST2.  Return two
author	Ludovic Courtès <ludo@gnu.org>	2019-12-20 21:49:43 +0100
committer	Ludovic Courtès <ludo@gnu.org>	2019-12-20 22:06:05 +0100
commit	f94f9d67e65975724ee5b5cbc936c0895a258685 (patch)
tree	6f49826abce986fa03ae886ad120c42d7136cef6 /guix/upstream.scm
parent	1101c73c7fb2e0dbba00b45c05bf36ae08bdb6f2 (diff)
download	patches-f94f9d67e65975724ee5b5cbc936c0895a258685.tar patches-f94f9d67e65975724ee5b5cbc936c0895a258685.tar.gz