On Sun, 19 Nov 2006 10:41:27 +0100, MJ Ray <[EMAIL PROTECTED]> wrote:
> "Jonas Karlsson" <[EMAIL PROTECTED]> wrote:
>> 1) There's no way to get the key that generated a signature, using gpg.
>> 2) Even if one gets the id of the key, there's no way to tell which user
>> (i.e. what name) it belongs to without downloading it to a keyring
>> 3) The user might not want to import packaging users keys to its default
>> keyring.
>
> I can't see why 1 are 2 are needed and 3 is fixable. Why not run gpg
> like
> gpg --no-default-keyring --keyring ~/.gnupg/gobopkg.gpg \
> -−keyserver‐options auto‐key‐retrieve --verify ${sig} ${pkg}
> ?
>
Why I wanted 1 and 2 is because I didn't want to autoretrieve the key.
Perhaps the above action could be used with a temporary keyring (if the
real verification failed) and then ask if the user want to import the key
to the gobopkg.pgp?
> I can't see how you'd find out name without downloading.
> It's a good idea to have a packaging keyring. Maybe later
> there will be a gobo keyring server.
>
> Hope that helps,
It may help a bit. :)
--
/Jonas
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
_______________________________________________
gobolinux-devel mailing list
[email protected]
http://lists.gobolinux.org/mailman/listinfo/gobolinux-devel
