gnu-arch-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnu-arch-users] signing rules

From: David Allouche
Subject: Re: [Gnu-arch-users] signing rules
Date: Sat, 12 Mar 2005 16:04:10 +0100 
On Wed, 2005-03-09 at 00:03 +1100, Robert Collins wrote:
> I wonder if folk would be kind enough to let me know what signing and
> check rules they are using?
> 
> I'm implementing a prototype of
> http://wiki.gnuarch.org/moin.cgi/SigningRules - and knowing what
> \=default.check and archive specific check rules are in use, will let me
> provide auto-conversion code for the common case users.
> 
> So - please let me know what you use - and if someone else has already
> said they use the same rule, still let me know :).

=default.check
        tla-gpg-check gpg_command="gpg --verify-files -"

That's, well, the default.

address@hidden (and other check rules)
        ~/.arch-params/bin/my-gpg-check jblack

Each archive uses a named keyring.
All keyrings have only one key so far.

~/.arch-params/bin/my-gpg-check
        #! /bin/sh
        if test $# -ne 1 ; then
            echo "Usage: my-gpg-check KEYRING" >&2
            exit 1
        fi
        opts="--keyring ~/.arch-params/keyrings/$1.gpg --no-default-keyring"
        exec ~/.arch-params/bin/quietify -out \
            tla-gpg-check gpg_command="gpg $opts --verify-files -"


That's mostly a wrapper that uses the quietify script.

~/.arch-params/bin/quietify

        set -e
        self=`basename "$0"`
        
        usage () {
            cat <<EOF
        Usage: $self [-out] CMD ARG ...
        
        Execute CMD with the given ARGS.
        
        Stderr is redirected to a temporary file. If CMD exits with a non-zero
        status, the contents of the temporary file are printed to stderr.
        
          --out   also redirect stdout
        
        EOF
        }
        
        if test "$1" = "-out" ; then
            shift
            redirect_stdout=true
        else
            redirect_stdout=false
        fi
        
        if test $# -lt 1 ; then
            usage >& 2
            exit 1
        fi
        
        finish () {
            set +e
            if test $1 -ne 0 && test -n "$logfile" && test -f "$logfile" ; then
                cat "$logfile" >&2
            fi
            rm -f "$logfile"
            exit $1
        }
        
        for i in 1 2 3 10 12 13 15 ; do
            trap "finish 1" $i
        done
        
        logfile=$(mktemp ,"$self"-"$(basename "$1")".XXXXXX)
        
        set +e
        if $redirect_stdout ; then
            "$@" > "$logfile" 2>&1
            status="$?"
        else
            "$@" 2> "$logfile"
            status="$?"
        fi
        set -e
        
        finish "$status"

IIRC the point of this script is shutting down verbosity, but still
having it handy for diagnostic if something went wrong.

It's quite possible that this effect could have been achieved by passing
the appropriate options to gpg, but at the time I was completely scared
by this software. Toooooo many options.

In a nutshell this setup provides:
      * One keyring per archive.
      * No needless verbosity.
      * Useful diagnostic output in case of failure.
      * Relatively easy addition of new archives.

-- 
                                                            -- ddaa
reply via email to
[Prev in Thread] Current Thread [Next in Thread]