On Sun, 30 Oct 2016 14:58:59 -0700 Zac Medico <zmed...@gentoo.org> wrote:
> On 10/30/2016 01:44 PM, Michał Górny wrote: > > Hi, everyone. > > > > Just a quick note: I've prepared a simple tool [1] to verify clones of > > gentoo-mirror repositories. It's still early WiP but can be easily used > > to verify a clone: > > > > $ ./verify-repo gentoo > > [/var/db/repos/gentoo] > > Untrusted signature on 42ccdf48d718287e981c00f25caea2242262906a > > (you may need to import/trust developer keys) > > Note: unsigned changes in metadata and/or caches found (it's fine) > > I don't think it's acceptable to use an unsigned metadata/cache commit. > Can't we use an infrastructure key for this? How are you going to guarantee that a third-party didn't access the remote server and alter the filesystem just before the commit? Not to mention the pains of keeping the key secure. It's better not to sign that to provide false security. > > It can take any number of repository names and/or paths on argv, or > > will verify all installed repositories if run without arguments. > > > > It has explicit support for unsigned cache update commits from > > gentoo-mirror (verifies the last signed commits and diffs it against > > HEAD); though it will probably get confused if signed commits out of > > metadata/ subrepos come (very rare case). > > > > Verification is done using git's default GPG magic. I'd like to > > improve it to use gkeys but the project still hasn't achieved > > the ability to run out-of-the-box without local hackery. > > Is there an open bug for this? We really need gkeys to be usable. https://bugs.gentoo.org/show_bug.cgi?id=526110 -- Best regards, Michał Górny <http://dev.gentoo.org/~mgorny/>
pgpAkzWKKXE_D.pgp
Description: OpenPGP digital signature
