On Tue, Oct 08, 2013 at 10:22:57AM -0400, Konstantin Ryabitsev wrote:
gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
%{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
snip
That one-liner is pretty much all that's required for valid gpg verification.
Hope this helps.
Yes it
Konstantin Ryabitsev wrote:
gpg --verify (and gpgv) will return 0 even if the key is revoked or
expired, so you can't really rely on exit code alone. The following is
the right approach:
gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
%{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
On Fri, Oct 11, 2013 at 7:02 AM, Björn Persson
bj...@xn--rombobjrn-67a.se wrote:
Konstantin Ryabitsev wrote:
gpg --verify (and gpgv) will return 0 even if the key is revoked or
expired, so you can't really rely on exit code alone. The following is
the right approach:
gpgv --homedir /tmp
On Fri, Oct 11, 2013 at 9:55 AM, Konstantin Ryabitsev
i...@fedoraproject.org wrote:
Or does the check fail only if the key had already expired when the
signature was made?
Looks like gpg verify doesn't take that into consideration.
PS: And, FYI, for a very good reason -- it is very simple for
On Tue, Oct 08, 2013 at 10:22:57AM -0400, Konstantin Ryabitsev wrote:
On Wed, Jul 10, 2013 at 6:01 PM, Brian C. Lane b...@redhat.com wrote:
In parted we have a signed upstream package and a detached signature. In
the pkg git we have the signer's public key and in %prep it runs gpg.
On Fri, Oct 11, 2013 at 3:32 PM, Zbigniew Jędrzejewski-Szmek
zbys...@in.waw.pl wrote:
gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
%{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
Does this allow anyone on the same machine with access to /tmp to
confuse/take over gpgv?
That's
On Wed, Jul 10, 2013 at 6:01 PM, Brian C. Lane b...@redhat.com wrote:
In parted we have a signed upstream package and a detached signature. In
the pkg git we have the signer's public key and in %prep it runs gpg.
Source0: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
Source1:
Hi Josh,
On Thu, Oct 03, 2013 at 10:59:24AM -0400, Josh Bressers wrote:
upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
https://build.opensuse.org/package/show/Base:System/gpg-offline
They allow to use a keyring and detached signature as additional source
in
- Original Message -
Hi,
upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
https://build.opensuse.org/package/show/Base:System/gpg-offline
They allow to use a keyring and detached signature as additional source
in SPECs to get both verified. Since
On Wed, Jul 10, 2013 at 03:01:07PM -0700, Brian C. Lane wrote:
On Mon, Jul 08, 2013 at 11:15:05PM +0200, Till Maas wrote:
Hi,
upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
https://build.opensuse.org/package/show/Base:System/gpg-offline
They allow to use a
On Mon, Jul 08, 2013 at 11:15:05PM +0200, Till Maas wrote:
Hi,
upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
https://build.opensuse.org/package/show/Base:System/gpg-offline
They allow to use a keyring and detached signature as additional source
in SPECs to get
Hi,
upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
https://build.opensuse.org/package/show/Base:System/gpg-offline
They allow to use a keyring and detached signature as additional source
in SPECs to get both verified. Since gpg-offline's upstream is willing
to create a
On Mon, Jul 08, 2013 at 11:15:05PM +0200, Till Maas wrote:
Hi,
upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
https://build.opensuse.org/package/show/Base:System/gpg-offline
They allow to use a keyring and detached signature as additional source
in SPECs to get
On Mon, 8 Jul 2013 23:15:05 +0200
Till Maas opensou...@till.name wrote:
Hi,
upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros
at https://build.opensuse.org/package/show/Base:System/gpg-offline
They allow to use a keyring and detached signature as additional
source in
14 matches
Mail list logo