GPG verification in SPECs
Björn Persson
bjorn at xn--rombobjrn-67a.se
Fri Oct 11 11:02:20 UTC 2013
Konstantin Ryabitsev wrote:
>gpg --verify (and gpgv) will return 0 even if the key is revoked or
>expired, so you can't really rely on exit code alone. The following is
>the right approach:
>
>gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
>%{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
Will that check start to fail when the key expires? Do we want packages
to start failing to build just because a certain date has passed?
Or does the check fail only if the key had already expired when the
signature was made?
--
Björn Persson
Sent from my computer.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20131011/dd7eb40b/attachment.sig>
More information about the devel
mailing list