On Tue, Oct 08, 2013 at 10:22:57AM -0400, Konstantin Ryabitsev wrote:
On Wed, Jul 10, 2013 at 6:01 PM, Brian C. Lane <bcl(a)redhat.com>
wrote:
> In parted we have a signed upstream package and a detached signature. In
> the pkg git we have the signer's public key and in %prep it runs gpg.
>
> Source0:
ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
> Source1:
ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz.sig
> Source2: pubkey.jim.meyering
>
> gpg --import %{SOURCE2}
> gpg --verify %{SOURCE1} %{SOURCE0}
>
> What does gpg-offline add to this?
Sorry to jump on a very old thread, but I just saw this and want to
add the following comments:
gpg --verify (and gpgv) will return 0 even if the key is revoked or
expired, so you can't really rely on exit code alone. The following is
the right approach:
gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
%{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
Does this allow anyone on the same machine with access to /tmp to
confuse/take over gpgv?
Zbyszek