Hello,

Werner Koch via Gnupg-users wrote:
> while talking about gpgv, let me remind you about the new
> --assert-signer option which can be used as a replacement for gpgv.

In a similar way, is there anyone able and interested in
helping to move https://dev.gnupg.org/T2290 (Allow gpgv2 to
use armored GPG keys as keyring file with trusted keys)
forward?

A reasonably common use case for gpgv is to verify
signatures on release artifacts by distribution packaging
tools.  Being able to use the upstream provided key
material, which is typically armored, would make things a
bit simpler and easier to verify for people interested in
ensuring those packages are using the proper key material
and are not introducing any issues.

In the Fedora/Red Hat world, a gpgverify script has been
added which must call `gpg --dearmor` to strip the armor
from an upstream key, requiring tmp files and such.  I
imagine this similarly affects Debian-based packages as
well.

It would be cleaner to just call gpgv (or some form of gpg
with --assert-signer, perhaps).

-- 
Todd

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to