[Gnu-arch-users] Re: Archive signing mini-howto

[Daniel Schoemer]

James Blackwell wrote:
>
> I'm working on a minihowto dealing with signing archives. I'd like to
> include a safer script that the one I've been handing out; one that is
> smart enough to handle multiple archives: 
>
> However, that would require a slight change to the signature code --
> namely, that =default.check be called with an argument, which would be the
> archive name.
>
> [...]
>
> This, on the other hand, sets up default keyrings by default. This
> encourages people to actually use signed archives properly. Then, they can
> add keys to each keyring (which is automatically created by gnupg) as they
> need.

Sounds great.

I've slightly modified your =default.check.  It is now compatible to sh
(`..` instead of $(..)) and it can be used even if called without an
argument so it can be used right now.  In this case, gpg uses the
default keyring.

,-- ~/.arch-params/signing/=default.check
#!/bin/sh
tmp=`mktemp /tmp/tla-gpgoutputXXXXXX`
G_OPTS1="--batch --verify"
test -n "$1" && G_OPTS2="--no-default-keyring --keyring $1.gpg"
if ! gpg --batch $G_OPTS1 $G_OPTS2 1>"$tmp" 2>&1; then
  cat "$tmp"
  rm -f "$tmp"
  exit 1
fi
rm -f "$tmp"
`----

Daniel Schoemer