GPG verification in SPECs
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Fri Oct 11 19:32:43 UTC 2013
On Tue, Oct 08, 2013 at 10:22:57AM -0400, Konstantin Ryabitsev wrote:
> On Wed, Jul 10, 2013 at 6:01 PM, Brian C. Lane <bcl at redhat.com> wrote:
> > In parted we have a signed upstream package and a detached signature. In
> > the pkg git we have the signer's public key and in %prep it runs gpg.
> >
> > Source0: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
> > Source1: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz.sig
> > Source2: pubkey.jim.meyering
> >
> > gpg --import %{SOURCE2}
> > gpg --verify %{SOURCE1} %{SOURCE0}
> >
> > What does gpg-offline add to this?
>
> Sorry to jump on a very old thread, but I just saw this and want to
> add the following comments:
> gpg --verify (and gpgv) will return 0 even if the key is revoked or
> expired, so you can't really rely on exit code alone. The following is
> the right approach:
>
> gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
> %{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
Does this allow anyone on the same machine with access to /tmp to
confuse/take over gpgv?
Zbyszek
More information about the devel
mailing list