[gobolinux-devel] Package signing

[Ricardo Nabinger Sanchez]

On Sun, 19 Nov 2006 11:30:52 +0100
"Jonas Karlsson" <jonka750 at student.liu.se> wrote:

> > I can't see why 1 are 2 are needed and 3 is fixable.  Why not run gpg  
> > like
> > gpg --no-default-keyring --keyring ~/.gnupg/gobopkg.gpg \
> >   -−keyserver‐options auto‐key‐retrieve --verify ${sig} ${pkg}
> > ?
> >
> Why I wanted 1 and 2 is because I didn't want to autoretrieve the key.  
> Perhaps the above action could be used with a temporary keyring (if the  
> real verification failed) and then ask if the user want to import the key  
> to the gobopkg.pgp?

Sorry, but why mixing the keyring of the "system" with user's?  I see that a
different file is used, but I think a Gobo-specific place should be used,
like /S/S/Gobo or another system-scope path that don't populate some user
home (even the superuser).

Also, have you tried the --search-keys option?

% gpg --keyserver pgp.mit.edu --search-keys \
0x593D4ACB6F210EECF5521AB041AD67F2726F9854
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: searching for "0x593D4ACB6F210EECF5521AB041AD67F2726F9854" from hkp
server pgp.mit.edu
(1)     Ricardo Nabinger Sanchez (Basco) <rnsanchez at terra.com.br>
          1024 bit DSA key 726F9854, created: 2004-07-05
Enter number(s), N)ext, or Q)uit > q

% gpg --keyserver pgp.mit.edu --search-keys '<rnsanchez at terra.com.br>'
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: searching for "<rnsanchez at terra.com.br>" from hkp server pgp.mit.edu
(1)     Ricardo Nabinger Sanchez (Basco) <rnsanchez at terra.com.br>
          1024 bit DSA key 726F9854, created: 2004-07-05
Enter number(s), N)ext, or Q)uit > q

-- 
Ricardo Nabinger Sanchez     <rnsanchez@{gmail.com,wait4.org}>
Powered by FreeBSD

  "Left to themselves, things tend to go from bad to worse."