On Wed, Jul 10, 2013 at 03:01:07PM -0700, Brian C. Lane wrote: > On Mon, Jul 08, 2013 at 11:15:05PM +0200, Till Maas wrote: > > Hi, > > > > upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at > > https://build.opensuse.org/package/show/Base:System/gpg-offline > > > > They allow to use a keyring and detached signature as additional source > > in SPECs to get both verified. Since gpg-offline's upstream is willing > > to create a proper release to allow easy packaging for Fedora, I wonder > > if I will find any obstacles when I package it. The packaging guidelines > > allow packaging RPM macros, therefore this should be fine. > > > > Also I am interested whether there are better options available. > > In parted we have a signed upstream package and a detached signature. In > the pkg git we have the signer's public key and in %prep it runs gpg. > > Source0: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz > Source1: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz.sig > Source2: pubkey.jim.meyering > > gpg --import %{SOURCE2} > gpg --verify %{SOURCE1} %{SOURCE0} > > What does gpg-offline add to this?
I did not yet read it, but your code has several flaws: - It modifies the users default GPG keyring, which might be considered rude (if it is not run on Koji or in mock) - It does not ensure that the signature is actually from the key that is provided as Source2 - It either does not work if the key is not trusted or allows signatures from untrusted keys, because the provided key is not especially marked as trusted I hope that gpg-offline does not have these flaws but since addressing this needs a little mit more code, a macro seems to be the right way to do this for me. Regards Till -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
