Re: [Gnu-arch-users] tla--devo--1.2 has preliminary gpg stuff

[Tom Lord]

    > From: Andrew Suffield <address@hidden>

    > Not instead of, but also:

    > If we ever see a =3Dmeta-info/signed-archive file, record that locally
    > (presumably in .arch-params); if we have a local record and the
    > archive is unsigned, abort immediately. Such records would never be
    > reverted except via explicit user intervention.

    > That won't help users who never touched the archive before it was
    > compromised, but it will both help existing users, and serve as a
    > fairly effective mechanism for detection (only *one* person has to
    > report the archive corruption).

    > It introduces an constraint that you never convert a signed archive
    > into an unsigned one - which is probably a reasonable constraint.

What I've actually done is slightly different.

To check signatures on client-side operations, you create a file in
~/.arch-params/signing.   For example, to check a given ARCHIVE you 
put a rule in:


        ~/.arch-params/ARCHIVE.check

If an archive is signed, but you have no rule, but do have: 

        ~/.arch-params/=default.check


Now, if you have:

        ~/.arch-params/ARCHIVE.check

but ARCHIVE is not signed -- that's a fatal error.

-t