[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & c

From: Mike Gerwitz
Subject: [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co.
Date: Sun, 09 Sep 2018 21:55:33 -0400
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux)

On Sun, Sep 09, 2018 at 22:43:35 +0200, Ludovic Courtès wrote:
> A significant difference compared to ‘gpg --verify’ is that it doesn’t
> check whether keys are expired or revoked; all that matters is whether
> the signature is valid and whether the signing key is in the specified
> keyring.  I think that’s what we want when checking the signature of a
> tarball or Git commit.

Agreed.  Git's use of `gpg --verify' is particularly annoying for this.

> Unfortunately the keybox format and tools are poorly documented, which
> is why I gave examples on how to do that in guix.texi.

Thank you!

> Feedback welcome!

LGTM.  Thanks for CC'ing.

Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]