[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & c
From: |
Leo Famulari |
Subject: |
[bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co. |
Date: |
Thu, 13 Sep 2018 12:29:04 -0400 |
User-agent: |
Mutt/1.10.1 (2018-07-13) |
On Sun, Sep 09, 2018 at 10:43:35PM +0200, Ludovic Courtès wrote:
> Hello Guix,
>
> (Cc’ing people with expertise and interest in this…)
>
> This patch changes (guix gnupg) so that it uses keyrings in the “keybox”
> file format to store and read upstream public keys (instead of using the
> user’s default keyring), and so that it uses ‘gpgv --keyring’ instead
> of ‘gpg --verify’.
>
> ‘gpgv’ is specifically designed for use cases like software signature
> verification against a keyring of “trusted keys” (it’s used by APT and
> Werner Koch recommends it¹.) A significant difference compared to
> ‘gpg --verify’ is that it doesn’t check whether keys are expired or
> revoked; all that matters is whether the signature is valid and whether
> the signing key is in the specified keyring. I think that’s what we
> want when checking the signature of a tarball or Git commit.
Great, this is a big improvement. It would be awesome if we could get
similar support in Git (or find another way to authenticate our code).
> This patch changes the behavior of ‘guix refresh -u’, which now uses,
> by default, the keyring at ~/.config/guix/upstream/trustedkeys.kbx.
> That means that if you already have upstream keys in your own keyring,
> you’ll probably want to export them to this keyring.
>
> Unfortunately the keybox format and tools are poorly documented, which
> is why I gave examples on how to do that in guix.texi.
>
> Feedback welcome!
LGTM!
signature.asc
Description: PGP signature