[Monotone-devel] Re: WARNING: ~/.monotone/keys CONSIDERED HARMFUL

[Lapo Luchini]

Marcin W. Dąbrowski wrote:
> Would it be ever possible to have an option to use external
> tools for signing certs? I.e. GnuPG signatures?

Not right now (and it's not planned, AFAIK), but you can do of course
things that pretty much guarantee the same thing:

1. GPG-sign your monotone public key: this way people that trust your
GPG key know that they can trust your monotone signatures (if they trust
monotone itself, that is)

2. GPG-sign a revision id: people that trust your GPG key might take
that as you asserting that that (single) revision is "good"

3. GPG-sign the output of "mtn log --next=1 --no-graph", in order to
testify not only the revision content but also the main certs

I'm not saying that this is any better than relying on the internal
monotone crypto (which suffices in my case), but if you already have
deployed a large PKI, yuo might as well use it this way also.
When you sign something "manually" always remember: it *has* to be a
parseable format even if you'll never need to parse it (basically that
means that it has an unique meaning, and no one can interpret your
signature in a different way - like for example the first RSA GPG key
could be, as private key and public key were not properly "separated" in
hashing them).

-- 
Lapo Luchini - http://lapo.it/

“In God we trust. Everybody else we verify using PGP!” (Tim Newsome)