Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0

gnu-arch-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0

From:	Johannes Berg
Subject:	Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0
Date:	Wed, 07 Jan 2004 16:11:30 +0100

Question:

>   A minimal example of a signature checking rule is:
> 
>         gpg --verify-files -

Is there any particular reason to use that instead of the IMHO simpler
and more intuitive
        gpg --verify
or even
        gpg
only?



Also -- as a note to interested people -- I figured that sometimes I
don't want to simply verify signatures, but also only allow _some_ keys
(that I manually set) to verify properly. This is easiest if you create
a new keyring [1] with all those keys and then use gpgv with that
keyring [2] in your checking rule.
If you don't do this, all you see for a revision that is signed by some
dummy key is:

gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 8EB2 49C5 7FDE EF86 DB35  208A 51E8 2618 055C 9D5A

in addition to the normal output of gpg. And if I'm pulling lots of
changes, I'm not sure I'd really notice that.

For the paranoid setup, it would imho be nice to be able to have a
default.check rule like this:
        gpgv --keyring ~/.arch-params/allowed-keys/$ARCH_ARCHIVE

I have done the required modifications in my tla--smallfeatures--1.2
branch (patch-2,3), see also my other mail ("refactored my branches").

This gets less important if gpg is patched to be less verbose (ie, only
display warnings), but even then I think its nice to have tla abort
automatically instead of later having to re-examine the situation
manually.

johannes

[1] for example by doing
        gpg --export allowed_id1 allowed_id2 > 
~/.arch-params/allowed-keys/<archive_name>

[2] in line with above, your .check rule would be:
        gpgv --keyring ~/.arch-params/allowed-keys/<archive_name>
(I used "gpgv" instead of "gpg --no-default-keyring --verify" because
its faster, and since we only have good keys in the special keyring we
don't have to use all the extra checking rules gpg has)
-- 
http://www.sipsolutions.de/
GnuPG key: http://www.sipsolutions.de/keys/JohannesBerg.asc
  Key-ID: 9AB78CA5 Johannes Berg <address@hidden>
  Fingerprint = AD02 0176 4E29 C137 1DF6 08D2 FC44 CF86 9AB7 8CA5

signature.asc
Description: This is a digitally signed message part

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0, Andrew Suffield, 2004/01/01
- Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0, Dustin Sallings, 2004/01/01
- Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0, Paul Hedderly, 2004/01/07
- Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0, Momchil Velikov, 2004/01/05
- Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0, Johannes Berg <=

Prev by Date: Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0
Next by Date: [Gnu-arch-users] refactored my branches
Previous by thread: Re: [Gnu-arch-users] oh the heck with it -- tla-1.2pre0
Next by thread: [Gnu-arch-users] rendering an archive read-only
Index(es):
- Date
- Thread