[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#22883: Trustable "guix pull"
From: |
Mike Gerwitz |
Subject: |
bug#22883: Trustable "guix pull" |
Date: |
Sat, 04 Jun 2016 21:43:29 -0400 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux) |
On Sat, Jun 04, 2016 at 18:19:31 +0200, Werner Koch wrote:
> There are no issues with l10n because _all_ scripts SHOULD use gpg with
> the options --status-fd and --with-colons. That output creates a well
> defined API and we try very hard never to break it.
> [...]
> I have never looked into git to check whether git correctly calls gpg
> to verify signatures. That should eventually be done.
A quick glance (latest master, gpg-interface.c:208 verify_signed_buffer):
It invokes `gpg --status-fd=1 --verify FILE -`, where FILE is a
signature written to a temporary file for the sake of invoking
GPG. It checks for a non-zero exit code and GOODSIG:
ret |= !strstr(pbuf->buf, "\n[GNUPG:] GOODSIG ");
--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
https://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB
signature.asc
Description: PGP signature
bug#22883: Trustable "guix pull",
Mike Gerwitz <=