Re: [Gnu-arch-users] signing rules

[John A Meinel]

Robert Collins wrote:

> I wonder if folk would be kind enough to let me know what signing and
> check rules they are using?
>
> I'm implementing a prototype of
> http://wiki.gnuarch.org/moin.cgi/SigningRules - and knowing what
> \=default.check and archive specific check rules are in use, will let me
> provide auto-conversion code for the common case users.
>
> So - please let me know what you use - and if someone else has already
> said they use the same rule, still let me know :).
>
> Rob
>  

In general, I'm using "gpg --clearsign --use-agent" for my signing rule, 
and for checking
gpg-check.awk gpg_command="gpg --verify-files - 2>/dev/null"
With the gpg-check.awk script that was in tlacontrib, or something like 
that. I can't find it right now, I always just copy it from machine to 
machine.

I do wish that by default when setting up a mirror, tla would default to 
copying the signature. Rather than having to manually create the 
~/.arch-params/signing/${ARCHIVE}-MIRROR file.

On win32 there is no gpg-agent, so I'm playing around with a simple auth 
agent. It's not nearly as nice as gpg-agent, just something to remember 
my password while I'm logged in. It's moderately secure in my case, 
where there is a single login at a time (authentication is binding to a 
local port), but in a more multi-user env you would want something 
better. I just never figured out how to implement a user permissioned 
communication port like UNIX sockets on windows.

John
=:->

signature.asc
Description: OpenPGP digital signature