[gobolinux-devel] Package signing

[MJ Ray]

"Jonas Karlsson" <jonka750 at student.liu.se> wrote:
> 1) There's no way to get the key that generated a signature, using gpg.
> 2) Even if one gets the id of the key, there's no way to tell which user  
> (i.e. what name) it belongs to without downloading it to a keyring
> 3) The user might not want to import packaging users keys to its default  
> keyring.

I can't see why 1 are 2 are needed and 3 is fixable.  Why not run gpg like
gpg --no-default-keyring --keyring ~/.gnupg/gobopkg.gpg \
  -−keyserver‐options auto‐key‐retrieve --verify ${sig} ${pkg}
?

I can't see how you'd find out name without downloading.
It's a good idea to have a packaging keyring.  Maybe later
there will be a gobo keyring server.

Hope that helps,
-- 
MJ Ray - see/vidu http://mjr.towers.org.uk/email.html
Somerset, England. Work/Laborejo: http://www.ttllp.co.uk/
IRC/Jabber/SIP: on request/peteble