Check gpg's exit code rather than stdout for signature verification

[micahflee]

From https://trac.torproject.org/projects/tor/ticket/5236#comment:33

Screenshots look good!

Can you add sebastian's key please? The verify page says he sometimes also signs the builds.

if 'Good signature' in output:

Not sure if that opens up for anything weird. gpg has exit codes.

A different example, clearsign a file, tamper with the clearsigned file and the gpg --decrypt.

$ gpg --decrypt xx.asc 
Good signature
f
gpg: Signature made Mon Feb 18 04:57:51 2013 UTC
gpg:                using RSA key 0x9C131AD3713AAEEF
gpg: BAD signature from "adrelanos <adrelanos at riseup dot net>" [ultimate]

In this case matching Good signature wouldn't be good. Doesn't work in this case, just wanted to note, that reading the exit codes is better.

[micahflee]

I merged in ioerror's gpg-keys branch (https://github.com/ioerror/torbrowser-launcher/tree/gpg-keys/keys), which includes Sebastian's public key.

[micahflee]

verify.sh script should exit with the exit code of the gpg --verify command. It should also validate input (ioerror@40abeed). I could also use a system-wide trusted gpg homedir with the keys already imported (ioerror@bfe97f4).

[micahflee]

Actually it looks like a global homedir doesn't work because gnupg wants to write files to it.

[micah@spock] {master} ~/projects/torbrowser-launcher$ cd 
[micah@spock] ~$ gpg --homedir /usr/share/torbrowser-launcher/gnupg_homedir/ --verify ~/.torbrowser/download/tor-browser-gnu-linux-x86_64-2.4.10-alpha-2-dev-en-US.tar.gz.asc 
gpg: WARNING: unsafe ownership on homedir `/usr/share/torbrowser-launcher/gnupg_homedir/'
gpg: Signature made Thu 21 Feb 2013 09:48:50 PM PST using RSA key ID 63FEE659
gpg: failed to create temporary file `/usr/share/torbrowser-launcher/gnupg_homedir//.#lk0x221bde0.spock.28222': Permission denied
gpg: fatal: can't create lock for `/usr/share/torbrowser-launcher/gnupg_homedir//trustdb.gpg'
secmem usage: 1408/1408 bytes in 2/2 blocks of pool 1408/32768