David Woodhouse <dw...@infradead.org> wrote: > On Mon, 2016-03-21 at 18:02 +0100, Till Maas wrote: > > > > It is a simple one-liner if you use gpgv2: > > http://pkgs.fedoraproject.org/cgit/rpms/youtube-dl.git/tree/youtube-dl.spec#n35 > > > > That's better than my version; thanks. It also means there's probably > not a lot of point in trying to simplify it with an RPM macro. > > Might be nice if we could just use the ASCII-armoured key instead of > having to generate the gpgkey-$KEYID.gpg keyring, but it's not the end > of the world. [...] > Which means it would be even nicer to find a way to use the ASCII- > armoured version of the key. Perhaps even if the check ends up being a > two-stage process where we *make* a keyring and then use it with gpgv2?
Yes, if we're going to make this mandatory, then we should have a program or an RPM macro or some kind of code that can be run with a one-liner in the spec file, that recognizes the common file formats that are used to export or publish keys, and verifies the signature. We shouldn't require packagers to run obscure commands to convert keys into a special format before uploading them. > But really, the key is encoded in the signature already; Is it really? An OpenPGP signature specifies which key it was made with, but I'm pretty sure it doesn't contain the key. In all of my experience with PGP and GPG there has always been an obvious difference between having a signature but not the key, and having a signature and a matching key. An S/MIME signature, on the other hand, is said to contain the whole certificate chain. Björn Persson
pgpLK9Qd6KUit.pgp
Description: OpenPGP digital signatur
-- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
