From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:35645) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fzBVf-0001X4-No for guix-patches@gnu.org; Sun, 09 Sep 2018 22:01:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fzBVe-0003gD-QI for guix-patches@gnu.org; Sun, 09 Sep 2018 22:01:03 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:46603) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fzBVe-0003fu-LR for guix-patches@gnu.org; Sun, 09 Sep 2018 22:01:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1fzBVe-0004J7-H1 for guix-patches@gnu.org; Sun, 09 Sep 2018 22:01:02 -0400 Subject: [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co. In-Reply-To: <20180909204335.21400-1-ludo@gnu.org> Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:35346) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fzBUo-0001Or-Pm for guix-patches@gnu.org; Sun, 09 Sep 2018 22:00:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fzBUn-0002nY-Vl for guix-patches@gnu.org; Sun, 09 Sep 2018 22:00:10 -0400 From: Mike Gerwitz Date: Sun, 09 Sep 2018 21:55:33 -0400 Message-ID: <87ftyiru96.fsf@gnu.org> References: <20180909204335.21400-1-ludo@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: vagrant@debian.org, mhw@netris.org, 32674@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On Sun, Sep 09, 2018 at 22:43:35 +0200, Ludovic Court=C3=A8s wrote: > A significant difference compared to =E2=80=98gpg --verify=E2=80=99 is th= at it doesn=E2=80=99t > check whether keys are expired or revoked; all that matters is whether > the signature is valid and whether the signing key is in the specified > keyring. I think that=E2=80=99s what we want when checking the signature= of a > tarball or Git commit. Agreed. Git's use of `gpg --verify' is particularly annoying for this. > Unfortunately the keybox format and tools are poorly documented, which > is why I gave examples on how to do that in guix.texi. Thank you! > Feedback welcome! LGTM. Thanks for CC'ing. =2D-=20 Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJblc8VAAoJEIyRe39dxRuitS8P/2N/QFGJnl7zeUx5uMRrFbRz 2YProY8RClp0zmqVpHbzPCuQ3rcW7lVeOgA9iV+DtVeOPxdm0ZGt94s/afanhKtJ O0Qok2syyCVz54bO8dkJk4HXdrI0h+a9o7vhtTIjETJUMwBf1O6qZhd3BgWVSxs/ ohvRRnWsiSddW9McDXf67wPopgx+/7pXNVEX9xuPoSXO5Jd9FcClR8ADkKLe9Y7T 0ZSfbVpUaLVXqFtn83XvOgoudqwPSjDQEurYFZgg6INLsKn/BKByFdO15KKL8IuJ te6Lz0ci4YVwzmmeFr4H/ZwWUMYMPrermxjP25XUicAImLGRECCbFd6ToA7Dj26K ksRrLpik9HzuACjdP279/5D3mS2Ps3ZmHDTnStxLhBCRVfwfqnT32EVms3gzTShv QjssgVnNwYdHd6GxnKoKx1bZpSR7ZvoeJih8r82i6cMQcAqPj+NM7GFFm+b80BF/ IOfcYup2g3HNR7pT6RC+brmG+sOCB4wyoeRLT/zA+kBQ/ODeePmBBqnu/CRij0jJ QYlu0Hvr+cK39YKvjmk6Bk8YDKy+POPQ1yYv5y7pO/DSZ5bbT/0ZaNR7r0rsrMhX ngQ+6Gkct/tVQSsH6sLNmruF80goLYHpVllOIwDpEgaZZWwVthJuyChMcuk8NLCN diA8djVEwaMC04EVxa9C =siNU -----END PGP SIGNATURE----- --=-=-=--