This topic has been discussed alot, but I want to lift it forward again,
as I intend to implement functionality for handling keys.
Having looked at it my idea is to have gnupg identify the key and ask the
user if it wants to import it to the keyring. If yes, it should
automatically download it and place it in a keyring.
The problems I've encountered so far:
1) There's no way to get the key that generated a signature, using gpg.
2) Even if one gets the id of the key, there's no way to tell which user
(i.e. what name) it belongs to without downloading it to a keyring
3) The user might not want to import packaging users keys to its default
keyring.
My solutions:
1) I used cut to get the key (is the key always field 14?).
key=`gpgv -q /Programs/App/x.y/Resources/FileHash.sig 2>&1 | cut -d\ -f14
-s`
2) Download the key to a temporary keyring.
gpg --recv-keys --no-default-keyring --keyring ~/.gnupg/gobotemp.gpg ${key}
gpg --fingerprint ${key}
3) Use another keyring for package signing keys, i.e.
~/.gnupg/gobotrust.gpg
I'd really like some input on the solutions, as I don't see 1 and 2 as
clean solutions. There has to be a way to use gpg to solve those problems
better. For example, is the key always field 14 when using cut? Is there
really no way to find out the information about a key without having to
download it? Is it a good idea to have a separate keyring?
--
/Jonas
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
_______________________________________________
gobolinux-devel mailing list
[email protected]
http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
