+sub checksig_keyring ($) {
+ my ($keyringfile) = @_;
+ # returns primary-keyid if signed by a key in this keyring
+ # or undef if not
+ # or dies on other errors
+
+ my $ok = undef;
+
+ open P, "-|", (qw(gpgv --status-fd=1),
+ map { '--keyring', $_ }, @keyrings,
+ qw(dgit-tmp/plaintext.asc dgit-tmp/plaintext))
+ or die $!;
+
+ while (<P>) {
+ next unless s/^\[GNUPG:\]: //;
+ chomp or die;
+ my @l = split / /, $_;
+ if ($l[0] eq 'NO_PUBKEY') {
+ last;
+ } elsif ($l[0] eq 'VALIDSIG') {
+ my $sigtype = $l[9];
+ $sigtype eq '00' or reject "signature is not of type 00!";
+ $ok = $l[10];
+ die unless defined $ok;
+ last;
+ }
+ }
+ close P;
+
+ return $ok;
+}
+
+sub dm_txt_check ($$) {
+ my ($keyid, $dmtxtfn) = @_;
+ open DT, '<', $dmtxtfn or die "$dmtxtfn $!";
+ while (<DT>) {
+ m/^fingerprint:\s+$keyid$/oi
+ ..0 or next;
+ m/^\S/
+ or reject "key $keyid missing Allow section in permissions!";
+ # in right stanza...
+ s/^allow:/ /i
+ ..0 or next;
+ s/^\s+//
+ or reject "package $package not allowed for key $keyid";
+ # in allow field...
+ s/\([^()]+\)//;
+ s/\,//;
+ foreach my $p (split /\s+/) {
+ return if $p eq $package; # yay!
+ }
+ }
+ DT->error and die $!;
+ close DT or die $!;
+ reject "key $keyid not in permissions list although in keyring!";
+}
+
+sub verifytag () {
+ foreach my $kas (split /:/, $keyrings) {
+ $kas =~ s/^([^,]+),// or die;
+ my $keyid = checksig_keyring $1;
+ if (defined $keyid) {
+ if ($kas =~ m/^a$/) {
+ return; # yay
+ } elsif ($kas =~ m/^m([^,]+)$/) {
+ dm_txt_check($keyid, $1);
+ return;
+ } else {
+ die;
+ }
+ }
+ }
+ reject "key not found in keyrings";
+}
+