@@ 88,6 88,11 @@ random_sleep=1
# URL of the Sanesecurity GnuPG public key
gpg_key_url="http://www.sanesecurity.net/publickey.gpg"
+# Location of GnuPG home directory
+# (If you change this, be sure that you understand the security implications:
+# signatures by *any* key in your public keyring will be accepted)
+gpg_homedir="$data_dir/gnupg"
+
# Exclude logical signatures (*.ldb)?
# These are not supported by versions of ClamAV prior to 0.94.
# If you use an old version of ClamAV, you should enable this option.
@@ 109,16 114,15 @@ fi
mkdir -p "$data_dir" "$cache_dir"
# Set up GnuPG, if necessary
-if [ ! -d "$data_dir/gnupg" ]
+if [ ! -d "$gpg_homedir" ]
then
- echo "No GnuPG homedir found; initialising" >&2
+ echo "GnuPG homedir is nonexistant; initialising" >&2
echo "(This should only occur once)" >&2
- mkdir "$data_dir/gnupg"
- chmod 0700 "$data_dir/gnupg"
- if ! wget -O- "$gpg_key_url" | gpg --no-options --homedir "$data_dir/gnupg" --import -
+ mkdir "$gpg_homedir"
+ chmod 0700 "$gpg_homedir"
+ if ! wget -O- "$gpg_key_url" | gpg --no-options --homedir "$gpg_homedir" --import -
then
echo "ERROR: could not import GnuPG public key; aborting" >&2
- rm -r "$data_dir/gnupg"
exit 4
fi
fi
@@ 195,7 199,7 @@ do
fi
# Check that the GnuPG signature is correct
- if ! gpg_out=$(gpg --no-options --homedir "$data_dir/gnupg" --verify "$db.sig" "$db" 2>&1)
+ if ! gpg_out=$(gpg --no-options --homedir "$gpg_homedir" --verify "$db.sig" "$db" 2>&1)
then
echo "SECURITY ERROR: $db_name has a bad GnuPG signature; discarding:" >&2
echo "$gpg_out" >&2