Hello, Werner Koch via Gnupg-users wrote: > while talking about gpgv, let me remind you about the new > --assert-signer option which can be used as a replacement for gpgv.
In a similar way, is there anyone able and interested in helping to move https://dev.gnupg.org/T2290 (Allow gpgv2 to use armored GPG keys as keyring file with trusted keys) forward? A reasonably common use case for gpgv is to verify signatures on release artifacts by distribution packaging tools. Being able to use the upstream provided key material, which is typically armored, would make things a bit simpler and easier to verify for people interested in ensuring those packages are using the proper key material and are not introducing any issues. In the Fedora/Red Hat world, a gpgverify script has been added which must call `gpg --dearmor` to strip the armor from an upstream key, requiring tmp files and such. I imagine this similarly affects Debian-based packages as well. It would be cleaner to just call gpgv (or some form of gpg with --assert-signer, perhaps). -- Todd
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
