From 82afad6788632cc27421a9b00409b05b78ab9d52 Mon Sep 17 00:00:00 2001
From: Sam Johnston <samj@samj.net>
Date: Tue, 23 Jul 2024 11:58:19 -0700
Subject: [PATCH] fix verifications

---
 .github/scripts/verify-gpg-signatures.sh | 16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

diff --git a/.github/scripts/verify-gpg-signatures.sh b/.github/scripts/verify-gpg-signatures.sh
index 6f07148f..ad1636e4 100644
--- a/.github/scripts/verify-gpg-signatures.sh
+++ b/.github/scripts/verify-gpg-signatures.sh
@@ -26,10 +26,12 @@ is_signed_by_trusted_key() {
   gpg --keyserver "$GPG_KEYSERVER" --recv-keys "$key_id"
   
   for trusted_fpr in $trusted_fingerprints; do
-    if gpg --list-sigs --with-colons "$key_id" | grep -q "sig:::::::::$trusted_fpr:"; then
+    if gpg --check-sigs --with-colons "$key_id" | grep -q "sig:!:::::::::$trusted_fpr:"; then
+      echo "Key $key_id is signed by trusted key $trusted_fpr"
       return 0
     fi
   done
+  echo "Key $key_id is not signed by any trusted key"
   return 1
 }
 
@@ -110,20 +112,14 @@ for commit in $(git rev-list $commit_range); do
     continue
   fi
   
-  # Check if the signing key is a trusted key
-  if gpg --list-keys --with-colons "$signing_key" 2>/dev/null | grep -q "^pub"; then
-    echo "::notice file=.github/scripts/verify-signatures.sh::Commit $commit by $commit_author is signed by a trusted key: $signing_key"
-    continue
-  fi
-  
-  # If not a trusted key or GitHub key, check if it's signed by a trusted key
+  # Check if the signing key is signed by a trusted key
   if ! is_signed_by_trusted_key "$signing_key"; then
-    echo "::warning file=.github/scripts/verify-signatures.sh::Commit $commit by $commit_author is signed by an untrusted key: $signing_key"
+    echo "::warning file=.github/scripts/verify-signatures.sh::Commit $commit by $commit_author is signed by a key not signed by any trusted key: $signing_key"
     failure=true
     continue
   fi
   
-  echo "::notice file=.github/scripts/verify-signatures.sh::Commit $commit by $commit_author has a valid signature from a trusted key"
+  echo "::notice file=.github/scripts/verify-signatures.sh::Commit $commit by $commit_author has a valid signature from a key signed by a trusted key"
 done
 
 # Check if any warnings were issued