[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnu-arch-users] Archive signing mini-howto

From: James Blackwell
Subject: [Gnu-arch-users] Archive signing mini-howto
Date: Tue, 28 Sep 2004 00:12:16 -0400
User-agent: Mutt/1.5.6+20040523i

I'm working on a minihowto dealing with signing archives. I'd like to
include a safer script that the one I've been handing out; one that is
smart enough to handle multiple archives: 

However, that would require a slight change to the signature code --
namely, that =default.check be called with an argument, which would be the
archive name.

 $ mkdir ~/.arch-params/signing && cd ~/.arch-params/signing
 $ cat << EOF > =default.check
 > #!/bin/sh
 > tmp=$(mktemp /tmp/tla-gpgoutputXXXXXX)
 > G_OPTS1="--batch --verify"
 > G_OPTS2="--no-default-keyring --keyring $1.gpg"
 > if ! gpg --batch $G_OPTS1 $G_OPTS2 1>"$tmp" 2>&1; then
 >   cat "$tmp"
 >   rm -f "$tmp"
 >   exit 1
 > fi
 > rm -f "$tmp"
 > EOF

I think its a good idea to do this.  People are inherently lazy; I don't
think they're likely to want to write a new script (and then hack it for a
unique keyring) each time they deal with a new archive. 

This, on the other hand, sets up default keyrings by default. This
encourages people to actually use signed archives properly. Then, they can
add keys to each keyring (which is automatically created by gnupg) as they

James Blackwell          Try something fun: For the next 24 hours, give
Smile more!              each person you meet a compliment!

GnuPG (ID 06357400) AAE4 8C76 58DA 5902 761D  247A 8A55 DA73 0635 7400

reply via email to

[Prev in Thread] Current Thread [Next in Thread]