Hi, Daniel Kahn Gillmor via Gnupg-users wrote: > Hi Todd-- > > On Fri 2024-07-26 09:54:32 -0400, Todd Zullinger via Gnupg-users wrote: >> A reasonably common use case for gpgv is to verify >> signatures on release artifacts by distribution packaging >> tools. Being able to use the upstream provided key >> material, which is typically armored, would make things a >> bit simpler and easier to verify for people interested in >> ensuring those packages are using the proper key material >> and are not introducing any issues. > > I recommend using any sopv implementation for that use case, since sopv > is specified to explicitly accept both armored and unarmored > certificates as verification targets.
That's a fine goal for down the road, but it's not going to
be a solid option until those implementations are all
included in the distributions.
Particularly, using sopv-gpgv would introduce more
dependencies to the buildroot (the python stack,
specifically) which is unlikely to be something folks like
Fedora want, after spending time to minimize the default
buildroot. (I don't care too much about Fedora anymore, as
I'm migrating away from anything Red Hat based, but it's
still what I'm most familiar with.)
Fedora does have the Sequoia SOP command available, but it
doesn't work out of the box (nor does it provide an option
to be more verbose, AFAICT).
Not that I want to turn this into a support chat for an
unrelated command, but here's what the experience looks like
in a minimal Fedora 40 container when attempting to verify
the git source:
[root@6e3fc2ac22a3 tmp]# /usr/lib/rpm/redhat/gpgverify \
--keyring=gpgkey-junio.asc --signature=git-2.46.0.tar.sign \
--data=git-2.46.0.tar
gpgv: Signature made Mon Jul 29 14:27:21 2024 UTC
gpgv: using RSA key E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB
gpgv: Good signature from "Junio C Hamano <gits...@pobox.com>"
gpgv: aka "Junio C Hamano <ju...@pobox.com>"
gpgv: aka "Junio C Hamano <j...@google.com>"
[root@6e3fc2ac22a3 tmp]# /tmp/sopv-gpgv verify git-2.46.0.tar.sign \
gpgkey-junio.asc <git-2.46.0.tar
2024-07-29T14:07:21Z E1F036B1FEE7221FC778ECEFB0B5E88696AFE6CB
96E07AF25771955980DAD10020D04E5A713660A7 mode:binary
[root@6e3fc2ac22a3 tmp]# sqop verify git-2.46.0.tar.sign \
gpgkey-junio.asc <git-2.46.0.tar
No acceptable signatures found
The version installed was 0.34.0, while there is a newer tag
upstream 0.35.0. I tested that as well, with the same
result.
Using /usr/lib/rpm/redhat/gpgverify -- which is a small
shell script wrapper for gpgv -- avoids new dependencies and
produces quite readable output which is handy in build logs.
Using an SOP command would still require some wrapper to
provide useful error output. That's all fixable, but it's
going to take some time before that's in place and
acceptable by many distributions.
Personally, I'd prefer to continue using gpgv for now. But
I'll keep any eye on the SOP clients.
Thanks,
--
Todd
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
