[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & c
From: |
Ludovic Courtès |
Subject: |
[bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co. |
Date: |
Sun, 16 Sep 2018 23:02:04 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Hello,
Leo Famulari <address@hidden> skribis:
> On Sun, Sep 09, 2018 at 10:43:35PM +0200, Ludovic Courtès wrote:
>> Hello Guix,
>>
>> (Cc’ing people with expertise and interest in this…)
>>
>> This patch changes (guix gnupg) so that it uses keyrings in the “keybox”
>> file format to store and read upstream public keys (instead of using the
>> user’s default keyring), and so that it uses ‘gpgv --keyring’ instead
>> of ‘gpg --verify’.
>>
>> ‘gpgv’ is specifically designed for use cases like software signature
>> verification against a keyring of “trusted keys” (it’s used by APT and
>> Werner Koch recommends it¹.) A significant difference compared to
>> ‘gpg --verify’ is that it doesn’t check whether keys are expired or
>> revoked; all that matters is whether the signature is valid and whether
>> the signing key is in the specified keyring. I think that’s what we
>> want when checking the signature of a tarball or Git commit.
>
> Great, this is a big improvement. It would be awesome if we could get
> similar support in Git (or find another way to authenticate our code).
Yes, that was partly the motivation for this change.
Pushed as b9e1fddfd8c29b2fa6252ef52a75daa14aaabd3e.
Thanks Mike & Leo for your feedback!
Ludo’.