[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0
From: |
Johannes Berg |
Subject: |
Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0 |
Date: |
Wed, 07 Jan 2004 16:11:30 +0100 |
Question:
> A minimal example of a signature checking rule is:
>
> gpg --verify-files -
Is there any particular reason to use that instead of the IMHO simpler
and more intuitive
gpg --verify
or even
gpg
only?
Also -- as a note to interested people -- I figured that sometimes I
don't want to simply verify signatures, but also only allow _some_ keys
(that I manually set) to verify properly. This is easiest if you create
a new keyring [1] with all those keys and then use gpgv with that
keyring [2] in your checking rule.
If you don't do this, all you see for a revision that is signed by some
dummy key is:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8EB2 49C5 7FDE EF86 DB35 208A 51E8 2618 055C 9D5A
in addition to the normal output of gpg. And if I'm pulling lots of
changes, I'm not sure I'd really notice that.
For the paranoid setup, it would imho be nice to be able to have a
default.check rule like this:
gpgv --keyring ~/.arch-params/allowed-keys/$ARCH_ARCHIVE
I have done the required modifications in my tla--smallfeatures--1.2
branch (patch-2,3), see also my other mail ("refactored my branches").
This gets less important if gpg is patched to be less verbose (ie, only
display warnings), but even then I think its nice to have tla abort
automatically instead of later having to re-examine the situation
manually.
johannes
[1] for example by doing
gpg --export allowed_id1 allowed_id2 >
~/.arch-params/allowed-keys/<archive_name>
[2] in line with above, your .check rule would be:
gpgv --keyring ~/.arch-params/allowed-keys/<archive_name>
(I used "gpgv" instead of "gpg --no-default-keyring --verify" because
its faster, and since we only have good keys in the special keyring we
don't have to use all the extra checking rules gpg has)
--
http://www.sipsolutions.de/
GnuPG key: http://www.sipsolutions.de/keys/JohannesBerg.asc
Key-ID: 9AB78CA5 Johannes Berg <address@hidden>
Fingerprint = AD02 0176 4E29 C137 1DF6 08D2 FC44 CF86 9AB7 8CA5
signature.asc
Description: This is a digitally signed message part