[gobolinux-devel] Package signing
Jonas Karlsson
jonka750 at student.liu.se
Sun Nov 19 10:30:52 UTC 2006
On Sun, 19 Nov 2006 10:41:27 +0100, MJ Ray <mjr at phonecoop.coop> wrote:
> "Jonas Karlsson" <jonka750 at student.liu.se> wrote:
>> 1) There's no way to get the key that generated a signature, using gpg.
>> 2) Even if one gets the id of the key, there's no way to tell which user
>> (i.e. what name) it belongs to without downloading it to a keyring
>> 3) The user might not want to import packaging users keys to its default
>> keyring.
>
> I can't see why 1 are 2 are needed and 3 is fixable. Why not run gpg
> like
> gpg --no-default-keyring --keyring ~/.gnupg/gobopkg.gpg \
> -−keyserver‐options auto‐key‐retrieve --verify ${sig} ${pkg}
> ?
>
Why I wanted 1 and 2 is because I didn't want to autoretrieve the key.
Perhaps the above action could be used with a temporary keyring (if the
real verification failed) and then ask if the user want to import the key
to the gobopkg.pgp?
> I can't see how you'd find out name without downloading.
> It's a good idea to have a packaging keyring. Maybe later
> there will be a gobo keyring server.
>
> Hope that helps,
It may help a bit. :)
--
/Jonas
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
More information about the gobolinux-devel
mailing list