[Gnu-arch-users] Archive signing mini-howto

[James Blackwell]

I'm working on a minihowto dealing with signing archives. I'd like to
include a safer script that the one I've been handing out; one that is
smart enough to handle multiple archives: 

However, that would require a slight change to the signature code --
namely, that =default.check be called with an argument, which would be the
archive name.

 $ mkdir ~/.arch-params/signing && cd ~/.arch-params/signing
 $ cat << EOF > =default.check
 > #!/bin/sh
 > tmp=$(mktemp /tmp/tla-gpgoutputXXXXXX)
 > G_OPTS1="--batch --verify"
 > G_OPTS2="--no-default-keyring --keyring $1.gpg"
 > if ! gpg --batch $G_OPTS1 $G_OPTS2 1>"$tmp" 2>&1; then
 >   cat "$tmp"
 >   rm -f "$tmp"
 >   exit 1
 > fi
 > rm -f "$tmp"
 > EOF

I think its a good idea to do this.  People are inherently lazy; I don't
think they're likely to want to write a new script (and then hack it for a
unique keyring) each time they deal with a new archive. 

This, on the other hand, sets up default keyrings by default. This
encourages people to actually use signed archives properly. Then, they can
add keys to each keyring (which is automatically created by gnupg) as they
need.

-- 
James Blackwell          Try something fun: For the next 24 hours, give
Smile more!              each person you meet a compliment!

GnuPG (ID 06357400) AAE4 8C76 58DA 5902 761D  247A 8A55 DA73 0635 7400