On Tue, 28 Feb 2017 18:05:29 +0100 Miroslav Rovis wrote: [...] > Gentoo Keys > ----------- > > ### About > > Gentoo Keys is a Python based project that aims to manage the GPG keys used > for validation on users and Gentoo's infrastracutre servers. Gentoo Keys > will be able > to verify GPG keys used for Gentoo's release media, such as installation > CD's, > Live DVD's, packages and other GPG signed documents. It will also be used by > Gentoo infrastructure to achieve GPG signed git commits in the forthcoming > git > migration of the main CVS tree. > > ### License > > Gentoo Keys is under GPL-2 License > # > > But do I read this correctly?: > > ...Gentoo Keys will be able > to verify GPG keys used for Gentoo's release media, such as installation > CD's, > Live DVD's, packages and other GPG signed documents. > > Again, about this (syntactical) object (in the sentence), with other > objects removed: > > ...Gentoo Keys will be able > to verify GPG keys used for ... > ... packages... > > Does that mean what I read? That with gkeys any user will be able to get > packages via git, and somehow automatically gpg -verify the signature of > each package that (s)he got when (s)he, say:
Yes and no. AFAIK gkeys is not yet fully implemented. Right now it can be used to verify dev keys, but I'm not aware about a way to verity git tree using gkeys. Probably this should be done at the end of emaint sync process. Best regards, Andrew Savchenko
pgpprJPSHYH3u.pgp
Description: PGP signature
