From mboxrd@z Thu Jan  1 00:00:00 1970
From: Vagrant Cascadian <vagrant@debian.org>
Subject: bug#22883: Trustable "guix pull"
Date: Sun, 02 Sep 2018 10:15:19 -0700
Message-ID: <87zhwz6ct4.fsf@aikidev.net>
References: <87io14sqoa.fsf@dustycloud.org> <87tvnemfjh.fsf@aikidev.net>
	<871sab7ull.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59318)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fwW4j-0002FE-Ph
	for bug-guix@gnu.org; Sun, 02 Sep 2018 13:22:18 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1fwVyk-0002RP-00
	for bug-guix@gnu.org; Sun, 02 Sep 2018 13:16:06 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:38239)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1fwVyj-0002RI-Sv
	for bug-guix@gnu.org; Sun, 02 Sep 2018 13:16:01 -0400
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-Message-ID: <handler.22883.B22883.153590853132528@debbugs.gnu.org>
In-Reply-To: <871sab7ull.fsf@gnu.org>
List-Id: Bug reports for GNU Guix <bug-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-guix/>
List-Post: <mailto:bug-guix@gnu.org>
List-Help: <mailto:bug-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-guix>,
	<mailto:bug-guix-request@gnu.org?subject=subscribe>
Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org
Sender: "bug-Guix" <bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 22883@debbugs.gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 2018-09-02, Ludovic Court=C3=A8s wrote:
> Vagrant Cascadian <vagrant@debian.org> skribis:
>> I really don't like having a custom GNUPGHOME, but I didn't see any
>> other obvious way to pass arguments to git to use a custom keyring. I
>> populated this GNUPGHOME with keys from:
>>
>>   https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=3Dguix&d=
ownload=3D1
>>
>> And then ran gpg --refresh-keys on it, as several keys were
>> outdated/expired.
>
> =E2=80=98gpgv=E2=80=99, which is recommended for this use case, has a =E2=
=80=98--keyring=E2=80=99
> argument.  I suppose we could use that.

I'm not sure how to get git to use gpgv instead of gpg, and extracting
the information out of git and then implementing some external
verification process, while possible, is likely error-prone.

A feature request to git to allow passing gpg arguments or use gpgv
would be the best way forward in the long-term.


live well,
  vagrant

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCW4waqAAKCRDcUY/If5cW
qt79AP4i+7XFfikJPM1ql0QqZ3drbh5EDPHg0GmJPsihQg1A8wEAlfllS1HhHHIw
w+s8pyWXeb6cRJq3GsXgaX19hCaN8g0=
=1ciG
-----END PGP SIGNATURE-----
--=-=-=--