 @@ -1,14 +1,14 @@
-# $NetBSD: Makefile,v 1.208 2015/04/21 00:28:19 joerg Exp $
+# $NetBSD: Makefile,v 1.209 2015/09/01 12:14:05 jperkin Exp $
 # Notes to package maintainers:
+#
 # Updating this package does not automatically necessitate bumping
 # PKGTOOLS_REQD in bsd.pkg.mk. Do so if and only if there is a critical
 # change in the pkg_* tools that pkgsrc relies on for proper operation.
 PKGNAME=		pkg_install-${VERSION}
 CATEGORIES=		pkgtools
 MAINTAINER=		agc@NetBSD.org
 HOMEPAGE=		http://www.pkgsrc.org/
 COMMENT=		Package management and administration tools for pkgsrc
 @@ -118,26 +118,27 @@ CONFIGURE_ARGS+=	--with-ssl
 .include "../../security/openssl/buildlink3.mk"
 .endif
 .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS]) || \
     empty(USE_BUILTIN.zlib:M[yY][eE][sS])
 USE_BUILTIN.libarchive=	no
 .endif
 FILESDIR.bzip2?=	${.CURDIR}/../../archivers/bzip2/files
 FILESDIR.libarchive?=	${.CURDIR}/../../archivers/libarchive/files
 FILESDIR.zlib?=		${.CURDIR}/../../devel/zlib/files
 FILESDIR.libfetch?=	${.CURDIR}/../../net/libfetch/files
 FILESDIR.netpgpverify?=	${.CURDIR}/../../security/netpgpverify/files
 .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS])
 CPPFLAGS+=	-I${WRKDIR}/bzip2
 LDFLAGS+=	-L${WRKDIR}/bzip2
 .endif
 .if empty(USE_BUILTIN.zlib:M[yY][eE][sS])
 CPPFLAGS+=	-I${WRKDIR}/zlib
 LDFLAGS+=	-L${WRKDIR}/zlib
 .endif
 .if empty(USE_BUILTIN.libarchive:M[yY][eE][sS])
 CPPFLAGS+=	-I${WRKDIR}/libarchive/libarchive
 LDFLAGS+=	-L${WRKDIR}/libarchive/.libs
 @@ -166,64 +167,73 @@ CPPFLAGS+=	-DLIBARCHIVE_STATIC
 LDFLAGS+=	-Wl,-search_paths_first
 .  endif
 .  if ${OPSYS} == "SunOS"
 # workaround for pkg/45491
 CONFIGURE_ENV+=	ac_cv_header_ext2fs_ext2_fs_h=no
 .  endif
 # Hack to make sure that the libarchive version is replaced
 pre-configure: config-guess-override config-sub-override
 .endif
 CPPFLAGS+=	-I${WRKDIR}/libfetch
 LDFLAGS+=	-L${WRKDIR}/libfetch
 # Avoid duplicate and conflicting headers, pull in any we need
 # directly with <netpgpgverify/*.h>
 CPPFLAGS+=	-I${WRKDIR}
 LDFLAGS+=	-L${WRKDIR}/netpgpverify
 CONFIGURE_ENV+=	LIBS=${LIBS:Q}
 do-extract:
 	@${CP} -R ${FILESDIR} ${WRKSRC}
 .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS])
 	@${CP} -R ${FILESDIR.bzip2} ${WRKDIR}/bzip2
 .endif
 .if empty(USE_BUILTIN.zlib:M[yY][eE][sS])
 	@${CP} -R ${FILESDIR.zlib} ${WRKDIR}/zlib
 .endif
 .if empty(USE_BUILTIN.libarchive:M[yY][eE][sS])
 	@${CP} -R ${FILESDIR.libarchive} ${WRKDIR}/libarchive
 .endif
 	@${CP} -R ${FILESDIR.libfetch} ${WRKDIR}/libfetch
 	@${CP} -R ${FILESDIR.netpgpverify} ${WRKDIR}/netpgpverify
 pre-configure:
 .if empty(USE_BUILTIN.bzip2:M[yY][eE][sS])
 	cd ${WRKDIR}/bzip2 && ${BUILD_MAKE_CMD} libbz2.a
 .endif
 .if empty(USE_BUILTIN.zlib:M[yY][eE][sS])
 	cd ${WRKDIR}/zlib && ${BUILD_MAKE_CMD} libz.a
 .endif
 .if empty(USE_BUILTIN.libarchive:M[yY][eE][sS])
 	cd ${WRKDIR}/libarchive && ${SETENV} ${_CONFIGURE_SCRIPT_ENV}	\
 		${CONFIG_SHELL} ${CONFIG_SHELL_FLAGS} ./configure	\
 		--disable-bsdcpio --disable-bsdtar --disable-shared	\
 		--disable-dependency-tracking --without-expat		\
 		--without-iconv --without-lzo2 --without-nettle		\
 		--without-xml2	\
 		${LIBARCHIVE_CONFIGURE_ARGS}
 	cd ${WRKDIR}/libarchive && ${BUILD_MAKE_CMD}
 .endif
 	cd ${WRKDIR}/libfetch && ${TOUCH} fetch.cat3 &&			\
 		${SETENV} ${MAKE_ENV} ${BSD_MAKE_ENV}			\
 		${MAKE_PROGRAM} ${MAKE_FLAGS} ${BUILD_MAKE_FLAGS}	\
 			-f ${MAKE_FILE} depend all
 	cd ${WRKDIR}/netpgpverify &&					\
 	${SED} -e '/zlib/d' Makefile.lib.in >Makefile.in &&		\
 	./configure && ${SETENV} ${MAKE_ENV} ${BSD_MAKE_ENV}		\
 		${MAKE_PROGRAM} ${MAKE_FLAGS} ${BUILD_MAKE_FLAGS}	\
 			-f ${MAKE_FILE} all
 # XXX Reverse the order that update does things since
 # XXX we need pkg_delete built before we can deinstall.
 # XXX This should probably be the default order for all packages.
 update:
 	${MAKE}
 	${MAKE} deinstall _UPDATE_RUNNING=YES
 	${MAKE} ${UPDATE_TARGET}
 	${MAKE} clean
 update-catpages:
 	for f in lib/pkgsrc.7 add/pkg_add.1 admin/pkg_admin.1 \
 	    create/pkg_create.1 delete/pkg_delete.1 info/pkg_info.1 \

 @@ -1,14 +1,14 @@
-# $NetBSD: Makefile.in,v 1.27 2015/01/22 09:19:47 jperkin Exp $
+# $NetBSD: Makefile.in,v 1.28 2015/09/01 12:14:06 jperkin Exp $
 srcdir=		@srcdir@
 prefix=		@prefix@
 exec_prefix=	@exec_prefix@
 sbindir=	@sbindir@
 mandir=		@mandir@
 datarootdir=	@datarootdir@
 man1dir=	$(mandir)/man1
 cat1dir=	$(mandir)/cat1
 man8dir=	$(mandir)/man8
 cat8dir=	$(mandir)/cat8
 @@ -18,27 +18,27 @@ SSL_SUPPORT=	@ssl_support@
 CC=		@CC@
 CCLD=		$(CC)
 DEFS=		@DEFS@
 CFLAGS=		@CFLAGS@
 LDFLAGS=	@LDFLAGS@ -L../lib
 INSTALL=	@INSTALL@
 PROG=		pkg_admin
 SCRIPTS=	audit-packages download-vulnerability-list
 .if empty(BOOTSTRAP)
-LIBS=		-linstall -larchive -lfetch
+LIBS=		-linstall -larchive -lfetch -lnetpgpverify
 .if !empty(SSL_SUPPORT)
 LIBS+=		-lssl -lcrypto
 CFLAGS+=	-DHAVE_SSL
 .endif
 LIBS+=		@LIBS@
 OBJS=		audit.o check.o main.o
 CPPFLAGS=	@CPPFLAGS@ -I. -I$(srcdir) -I../lib
 .else
 LIBS=		-linstall @LIBS@
 OBJS=		check.o main.o
 CPPFLAGS=	@CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBOOTSTRAP
 .endif

 @@ -1,14 +1,14 @@
-# $NetBSD: Makefile.in,v 1.25 2015/01/22 09:19:47 jperkin Exp $
+# $NetBSD: Makefile.in,v 1.26 2015/09/01 12:14:06 jperkin Exp $
 srcdir=		@srcdir@
 prefix=		@prefix@
 exec_prefix=	@exec_prefix@
 sbindir=	@sbindir@
 mandir=		@mandir@
 datarootdir=	@datarootdir@
 man1dir=	$(mandir)/man1
 cat1dir=	$(mandir)/cat1
 BOOTSTRAP=	@bootstrap@
 @@ -16,27 +16,27 @@ BOOTSTRAP=	@bootstrap@
 CC=		@CC@
 CCLD=		$(CC)
 DEFS=		@DEFS@
 CFLAGS=		@CFLAGS@
 LDFLAGS=	@LDFLAGS@ -L../lib
 INSTALL=	@INSTALL@
 PROG=		pkg_create
 SSL_SUPPORT=	@ssl_support@
 .if empty(BOOTSTRAP)
-LIBS=		-linstall -larchive -lfetch @LIBS@
+LIBS=		-linstall -larchive -lfetch -lnetpgpverify @LIBS@
 .if !empty(SSL_SUPPORT)
 LIBS+=		-lssl -lcrypto
 .endif
 CPPFLAGS=	@CPPFLAGS@ -I. -I$(srcdir) -I../lib
 OBJS=	main.o perform.o pl.o util.o build.o
 .else
 LIBS=		-linstall @LIBS@
 CPPFLAGS=	@CPPFLAGS@ -I. -I$(srcdir) -I../lib -DBOOTSTRAP
 OBJS=	main.o perform.o pl.o util.o
 .endif
 all: $(PROG)

 @@ -1,14 +1,14 @@
-# $NetBSD: Makefile.in,v 1.34 2013/09/12 11:03:10 jperkin Exp $
+# $NetBSD: Makefile.in,v 1.35 2015/09/01 12:14:06 jperkin Exp $
 srcdir=		@srcdir@
 pkgdbdir=	@pkgdbdir@
 mandir=		@mandir@
 datarootdir=	@datarootdir@
 sysconfdir=	@sysconfdir@
 cat5dir=	$(mandir)/cat5
 cat7dir=	$(mandir)/cat7
 man5dir=	$(mandir)/man5
 man7dir=	$(mandir)/man7
 @@ -17,36 +17,36 @@ SSL_SUPPORT=	@ssl_support@
 RANLIB=		@RANLIB@
 AR=		@AR@
 CC=		@CC@
 CPPFLAGS=	@CPPFLAGS@ -I. -I$(srcdir)
 DEFS=		@DEFS@ -DDEF_LOG_DIR=\"$(pkgdbdir)\"
 CFLAGS=		@CFLAGS@
 INSTALL=	@INSTALL@
 LIB=	libinstall.a
 OBJS=	automatic.o conflicts.o dewey.o fexec.o file.o \
-	gpgsig.o global.o iterate.o license.o lpkg.o opattern.o \
+	global.o iterate.o license.o lpkg.o opattern.o \
 	parse-config.o pkgdb.o plist.o remove.o \
 	str.o var.o version.o vulnerabilities-file.o xwrapper.o
 CPPFLAGS+=	-DSYSCONFDIR=\"$(sysconfdir)\"
 .if !empty(BOOTSTRAP)
 CPPFLAGS+=	-DBOOTSTRAP
 .else
-OBJS+=	pkg_io.o pkg_signature.o
+OBJS+=	gpgsig.o pkg_io.o pkg_signature.o
 .endif
 .if !empty(SSL_SUPPORT)
 CPPFLAGS+=	-DHAVE_SSL
 OBJS+=		pkcs7.o
 .endif
 all: $(LIB)
 .c.o:
 	$(CC) $(DEFS) $(CPPFLAGS) $(CFLAGS) -c $<
 $(LIB): $(OBJS)

 @@ -1,23 +1,23 @@
-/*	$NetBSD: gpgsig.c,v 1.3 2009/08/02 17:56:45 joerg Exp $	*/
+/*	$NetBSD: gpgsig.c,v 1.4 2015/09/01 12:14:06 jperkin Exp $	*/
 #if HAVE_CONFIG_H
 #include "config.h"
 #endif
 #include <nbcompat.h>
 #if HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
 #endif
-__RCSID("$NetBSD: gpgsig.c,v 1.3 2009/08/02 17:56:45 joerg Exp $");
+__RCSID("$NetBSD: gpgsig.c,v 1.4 2015/09/01 12:14:06 jperkin Exp $");
 /*-
  * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
+ *
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
 @@ -41,125 +41,65 @@ __RCSID("$NetBSD: gpgsig.c,v 1.3 2009/08
 #include <sys/wait.h>
 #ifndef NETBSD
 #include <nbcompat/err.h>
 #else
 #include <err.h>
 #endif
 #ifndef NETBSD
 #include <nbcompat/stdlib.h>
 #else
 #include <stdlib.h>
 #endif
 #include "lib.h"
 #include "netpgpverify/verify.h"
 static void
 verify_signature(const char *input, size_t input_len, const char *keyring,
     const char *detached_signature)
 	const char *argv[8], **argvp;
 	pid_t child;
 	int fd[2], status;
 	if (pipe(fd) == -1)
 		err(EXIT_FAILURE, "cannot create input pipes");
 	child = vfork();
 	if (child == -1)
 		err(EXIT_FAILURE, "cannot fork GPG process");
 	if (child == 0) {
 		close(fd[1]);
 		close(STDIN_FILENO);
 		if (dup2(fd[0], STDIN_FILENO) == -1) {
 			static const char err_msg[] =
 			    "cannot redirect stdin of GPG process\n";
 			write(STDERR_FILENO, err_msg, sizeof(err_msg) - 1);
 			_exit(255);
 		close(fd[0]);
 		argvp = argv;
 		*argvp++ = gpg_cmd;
 		*argvp++ = "--verify";
 		if (keyring != NULL) {
 			*argvp++ = "--no-default-keyring";
 			*argvp++ = "--keyring";
 			*argvp++ = keyring;
 		if (detached_signature != NULL)
 			*argvp++ = detached_signature;
 		*argvp++ = "-";
 		*argvp = NULL;
 		execvp(gpg_cmd, __UNCONST(argv));
 		_exit(255);
 	close(fd[0]);
 	if (write(fd[1], input, input_len) != (ssize_t)input_len)
 		errx(EXIT_FAILURE, "Short read from GPG");
 	close(fd[1]);
 	waitpid(child, &status, 0);
 	if (status)
 		errx(EXIT_FAILURE, "GPG could not verify the signature");
 int
-inline_gpg_verify(const char *content, size_t len, const char *keyring)
+gpg_verify(const char *content, size_t len, const char *keyring,
     const char *sig, size_t sig_len)
+{
-	verify_signature(content, len, keyring, NULL);
+	pgpv_t pgp;
 	pgpv_cursor_t cursor;
-	return 0;
+	static const char hdr1[] = "-----BEGIN PGP SIGNED MESSAGE-----\n";
 	static const char hdr2[] = "Hash: SHA512\n\n";
 	ssize_t buflen;
-int
+	char *buf;
 detached_gpg_verify(const char *content, size_t len,
-    const char *signature, size_t signature_len, const char *keyring)
+	/*
 	 * If there is a detached signature we need to construct a format that
-	int fd;
+	 * netpgp can parse, otherwise use as-is.
-	const char *tmpdir;
+	 */
-	char *tempsig;
+	if (sig_len) {
-	ssize_t ret;
+		buf = xasprintf("%s%s%s%s", hdr1, hdr2, content, sig);
 		buflen = strlen(buf);
-	if (gpg_cmd == NULL) {
+	} else {
-		warnx("GPG variable not set, failing signature check");
+		buf = content;
-		return -1;
+		buflen = len;
+	}
-	if ((tmpdir = getenv("TMPDIR")) == NULL)
+	memset(&pgp, 0, sizeof(pgp));
-		tmpdir = "/tmp";
+	memset(&cursor, 0, sizeof(cursor));
 	tempsig = xasprintf("%s/pkg_install.XXXXXX", tmpdir);
 	if (!pgpv_read_pubring(&pgp, keyring, -1))
-	fd = mkstemp(tempsig);
+		err(EXIT_FAILURE, "cannot read keyring");
 	if (fd == -1) {
-		warnx("Creating temporary file for GPG signature failed");
+	if (!pgpv_verify(&cursor, &pgp, buf, buflen))
-		return -1;
+		errx(EXIT_FAILURE, "unable to verify signature: %s",
 		    cursor.why);
 	while (signature_len) {
 		ret = write(fd, signature, signature_len);
 		if (ret == -1)
 			err(EXIT_FAILURE, "Write to GPG failed");
 		if (ret == 0)
 			errx(EXIT_FAILURE, "Short write to GPG");
 		signature_len -= ret;
 		signature += ret;
-	verify_signature(content, len, keyring, tempsig);
+	pgpv_close(&pgp);
-	unlink(tempsig);
+	if (sig_len)
-	close(fd);
+		free(buf);
 	free(tempsig);
 	return 0;
+}
 int
 detached_gpg_sign(const char *content, size_t len, char **sig, size_t *sig_len,
     const char *keyring, const char *user)
+{
 	const char *argv[12], **argvp;
 	pid_t child;
 	int fd_in[2], fd_out[2], status;
 	size_t allocated;
 	ssize_t ret;

 @@ -1,14 +1,14 @@
-/* $NetBSD: lib.h,v 1.65 2014/12/30 15:13:21 wiz Exp $ */
+/* $NetBSD: lib.h,v 1.66 2015/09/01 12:14:06 jperkin Exp $ */
 /* from FreeBSD Id: lib.h,v 1.25 1997/10/08 07:48:03 charnier Exp */
 /*
  * FreeBSD install - a package for the installation and maintainance
  * of non-core utilities.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
 @@ -390,29 +390,27 @@ int pkg_full_signature_check(const char
 void pkg_sign_x509(const char *, const char *, const char *, const char *);
 #endif
 void pkg_sign_gpg(const char *, const char *);
 #ifdef HAVE_SSL
 /* PKCS7 signing/verification */
 int easy_pkcs7_verify(const char *, size_t, const char *, size_t,
     const char *, int);
 int easy_pkcs7_sign(const char *, size_t, char **, size_t *, const char *,
     const char *);
 #endif
-int inline_gpg_verify(const char *, size_t, const char *);
+int gpg_verify(const char *, size_t, const char *, const char *, size_t);
 int detached_gpg_verify(const char *, size_t, const char *, size_t,
     const char *);
 int detached_gpg_sign(const char *, size_t, char **, size_t *, const char *,
     const char *);
 /* License handling */
 int add_licenses(const char *);
 int acceptable_license(const char *);
 int acceptable_pkg_license(const char *);
 void load_license_lists(void);
 /* Helper functions for memory allocation */
 char *xstrdup(const char *);
 void *xrealloc(void *, size_t);
 void *xcalloc(size_t, size_t);

 @@ -1,23 +1,23 @@
-/*	$NetBSD: pkg_signature.c,v 1.11 2013/09/11 14:10:05 khorben Exp $	*/
+/*	$NetBSD: pkg_signature.c,v 1.12 2015/09/01 12:14:06 jperkin Exp $	*/
 #if HAVE_CONFIG_H
 #include "config.h"
 #endif
 #include <nbcompat.h>
 #if HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
 #endif
-__RCSID("$NetBSD: pkg_signature.c,v 1.11 2013/09/11 14:10:05 khorben Exp $");
+__RCSID("$NetBSD: pkg_signature.c,v 1.12 2015/09/01 12:14:06 jperkin Exp $");
 /*-
  * Copyright (c) 2008 Joerg Sonnenberger <joerg@NetBSD.org>.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
+ *
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
 @@ -356,28 +356,28 @@ pkg_verify_signature(const char *archive
 			    entry, GPG_SIGNATURE_FNAME,
 			    &signature_file, &signature_len);
 		if (r == -1) {
 			archive_read_finish(*archive);
 			*archive = NULL;
 			free(state);
 			free(hash_file);
 			goto no_valid_signature;
 		} else if (r != 0) {
 			free(hash_file);
 			free(state);
 			goto no_valid_signature;
+		}
-		has_sig = !detached_gpg_verify(hash_file, hash_len,
+		has_sig = !gpg_verify(hash_file, hash_len, gpg_keyring_verify,
-		    signature_file, signature_len, gpg_keyring_verify);
+		    signature_file, signature_len);
 		free(signature_file);
 	} else {
 #ifdef HAVE_SSL
 		has_sig = !easy_pkcs7_verify(hash_file, hash_len, signature_file,
 		    signature_len, certs_packages, 1);
 		free(signature_file);
 #else
 		warnx("No OpenSSL support compiled in, skipping signature");
 		has_sig = 0;
 		free(signature_file);
 #endif

 @@ -1,14 +1,14 @@
-/*	$NetBSD: version.h,v 1.168 2015/05/08 16:29:37 agc Exp $	*/
+/*	$NetBSD: version.h,v 1.169 2015/09/01 12:14:06 jperkin Exp $	*/
 /*
  * Copyright (c) 2001 Thomas Klausner.  All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
+ *
 @@ -17,16 +17,16 @@
  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #ifndef _INST_LIB_VERSION_H_
 #define _INST_LIB_VERSION_H_
-#define PKGTOOLS_VERSION 20150508
+#define PKGTOOLS_VERSION 20150901
 #endif /* _INST_LIB_VERSION_H_ */

 @@ -1,14 +1,14 @@
-/*	$NetBSD: vulnerabilities-file.c,v 1.7 2010/06/16 23:02:49 joerg Exp $	*/
+/*	$NetBSD: vulnerabilities-file.c,v 1.8 2015/09/01 12:14:06 jperkin Exp $	*/
 /*-
  * Copyright (c) 2008, 2010 Joerg Sonnenberger <joerg@NetBSD.org>.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
+ *
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in
 @@ -28,27 +28,27 @@
  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #if HAVE_CONFIG_H
 #include "config.h"
 #endif
 #include <nbcompat.h>
 #if HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
 #endif
-__RCSID("$NetBSD: vulnerabilities-file.c,v 1.7 2010/06/16 23:02:49 joerg Exp $");
+__RCSID("$NetBSD: vulnerabilities-file.c,v 1.8 2015/09/01 12:14:06 jperkin Exp $");
 #if HAVE_SYS_STAT_H
 #include <sys/stat.h>
 #endif
 #if HAVE_SYS_WAIT_H
 #include <sys/wait.h>
 #endif
 #ifndef BOOTSTRAP
 #include <archive.h>
 #endif
 #include <ctype.h>
 #if HAVE_ERR_H
 #include <err.h>
 @@ -100,32 +100,27 @@ verify_signature_pkcs7(const char *input
 	end_sig += strlen(pkcs7_end);
 	if (easy_pkcs7_verify(begin_pkgvul, end_pkgvul - begin_pkgvul,
 	    begin_sig, end_sig - begin_sig, certs_pkg_vulnerabilities, 0))
 		errx(EXIT_FAILURE, "Unable to verify PKCS7 signature");
 #else
 	errx(EXIT_FAILURE, "OpenSSL support is not compiled in");
 #endif
+}
 static void
 verify_signature(const char *input, size_t input_len)
+{
-	if (gpg_cmd == NULL && certs_pkg_vulnerabilities == NULL)
+	gpg_verify(input, input_len, gpg_keyring_pkgvuln, NULL, 0);
 		errx(EXIT_FAILURE,
 		    "At least GPG or CERTIFICATE_ANCHOR_PKGVULN "
 		    "must be configured");
 	if (gpg_cmd != NULL)
 		inline_gpg_verify(input, input_len, gpg_keyring_pkgvuln);
 	if (certs_pkg_vulnerabilities != NULL)
 		verify_signature_pkcs7(input);
+}
 static void *
 sha512_hash_init(void)
+{
 	static SHA512_CTX hash_ctx;
 	SHA512_Init(&hash_ctx);
 	return &hash_ctx;
+}