* Avoid muddling output of wget and gpg when importing key (thanks to Tony Finch)
 * Allow additional options to gpg
 * Lose --no-options option to gpg as it's redundant
1 files changed, 15 insertions(+), 4 deletions(-)

M fetch-sanesecurity-sigs
M fetch-sanesecurity-sigs +15 -4
@@ 93,6 93,9 @@ gpg_key_url="http://www.sanesecurity.net
 # signatures by *any* key in your public keyring will be accepted)
 gpg_homedir="$data_dir/gnupg"
 
+# Extra options for GnuPG, if required
+gpg_extra_opts=""
+
 # Exclude logical signatures (*.ldb)?
 # These are not supported by versions of ClamAV prior to 0.94.
 # If you use an old version of ClamAV, you should enable this option.

          
@@ 118,13 121,22 @@ if [ ! -d "$gpg_homedir" ]
 then
 	echo "GnuPG homedir is nonexistant; initialising" >&2
 	echo "(This should only occur once)" >&2
-	mkdir "$gpg_homedir"
+	mkdir -p "$gpg_homedir"
 	chmod 0700 "$gpg_homedir"
-	if ! wget -O- "$gpg_key_url" | gpg --no-options --homedir "$gpg_homedir" --import -
+	gpg_tmp="$(mktemp -t fetch-sanesecurity-sigs.XXXXXXXXXX)"
+	if ! wget -O "$gpg_tmp" "$gpg_key_url"
+	then
+		echo "ERROR: could not fetch GnuPG public key; aborting" >&2
+		rm -f "$gpg_tmp"
+		exit 4
+	fi
+	if ! gpg --homedir "$gpg_homedir" $gpg_extra_opts --import "$gpg_tmp"
 	then
 		echo "ERROR: could not import GnuPG public key; aborting" >&2
+		rm -f "$gpg_tmp"
 		exit 4
 	fi
+	rm -f "$gpg_tmp"
 fi
 
 # This appears to be the most portable way to find the current timestamp

          
@@ 199,7 211,7 @@ do
 	fi
 
 	# Check that the GnuPG signature is correct
-	if ! gpg_out=$(gpg --no-options --homedir "$gpg_homedir" --verify "$db.sig" "$db" 2>&1)
+	if ! gpg_out=$(gpg --homedir "$gpg_homedir" $gpg_extra_opts --verify "$db.sig" "$db" 2>&1)
 	then
 		echo "SECURITY ERROR: $db_name has a bad GnuPG signature; discarding:" >&2
 		echo "$gpg_out" >&2

          
@@ 254,4 266,3 @@ else
 fi
 
 exit 0
-