On 03/14/2013 09:01 PM, Robin H. Johnson wrote: > On Thu, Mar 14, 2013 at 05:14:15PM +0100, Michał Górny wrote: >> If that means doing an additional signature every time something is >> going to be committed, that sounds like an overkill. If we were to do >> something radical, I'd rather be in favor of disabling keyword >> expansion completely and finally being able to do sane commits. > I foresee it as more of: > IFF this commit will call GPG later, ensure the agent can access the > secret key BEFORE trying to sign at the end. > > As to how to accomplish this, it's either a throwaway sig, or poking the > agent protocol directly. >
The only trouble with that is if the agent is configured to only unlock keys for limited periods of time, then your initial check might catch the agent when the key is still unlocked, but your subsequent call to GPG comes after the timeout. I ran into this while trying to set up automated signing of debian packages I was building. All it really means, in a practical procedural sense, is that you need to allow yourself a way to roll back anything you've been doing if that later check fails.
signature.asc
Description: OpenPGP digital signature
