On Fri, Oct 11, 2013 at 3:32 PM, Zbigniew Jędrzejewski-Szmek
wrote:
>> gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
>> %{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
>
> Does this allow anyone on the same machine with access to /tmp to
> confuse/take over gpgv?
That's just an exa
On Tue, Oct 08, 2013 at 10:22:57AM -0400, Konstantin Ryabitsev wrote:
> On Wed, Jul 10, 2013 at 6:01 PM, Brian C. Lane wrote:
> > In parted we have a signed upstream package and a detached signature. In
> > the pkg git we have the signer's public key and in %prep it runs gpg.
> >
> > Source0: ftp:
On Fri, Oct 11, 2013 at 9:55 AM, Konstantin Ryabitsev
wrote:
>> Or does the check fail only if the key had already expired when the
>> signature was made?
>
> Looks like gpg verify doesn't take that into consideration.
PS: And, FYI, for a very good reason -- it is very simple for an
attacker to c
On Fri, Oct 11, 2013 at 7:02 AM, Björn Persson
wrote:
> Konstantin Ryabitsev wrote:
>>gpg --verify (and gpgv) will return 0 even if the key is revoked or
>>expired, so you can't really rely on exit code alone. The following is
>>the right approach:
>>
>>gpgv --homedir /tmp --keyring %{SOURCE2} --s
Konstantin Ryabitsev wrote:
>gpg --verify (and gpgv) will return 0 even if the key is revoked or
>expired, so you can't really rely on exit code alone. The following is
>the right approach:
>
>gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
>%{SOURCE0} | grep -q '^\[GNUPG:\] GOODS
On Tue, Oct 08, 2013 at 10:22:57AM -0400, Konstantin Ryabitsev wrote:
>
> gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
> %{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
>
>
> That one-liner is pretty much all that's required for valid gpg verification.
>
> Hope this helps.
Yes
On Wed, Jul 10, 2013 at 6:01 PM, Brian C. Lane wrote:
> In parted we have a signed upstream package and a detached signature. In
> the pkg git we have the signer's public key and in %prep it runs gpg.
>
> Source0: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
> Source1: ftp://ftp.gnu.org
Hi Josh,
On Thu, Oct 03, 2013 at 10:59:24AM -0400, Josh Bressers wrote:
> > upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
> > https://build.opensuse.org/package/show/Base:System/gpg-offline
> >
> > They allow to use a keyring and detached signature as additional source
- Original Message -
> Hi,
>
> upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
> https://build.opensuse.org/package/show/Base:System/gpg-offline
>
> They allow to use a keyring and detached signature as additional source
> in SPECs to get both verified. Since gpg-
On Wed, Jul 10, 2013 at 03:01:07PM -0700, Brian C. Lane wrote:
> On Mon, Jul 08, 2013 at 11:15:05PM +0200, Till Maas wrote:
> > Hi,
> >
> > upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
> > https://build.opensuse.org/package/show/Base:System/gpg-offline
> >
> > They all
On Mon, Jul 08, 2013 at 11:15:05PM +0200, Till Maas wrote:
> Hi,
>
> upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
> https://build.opensuse.org/package/show/Base:System/gpg-offline
>
> They allow to use a keyring and detached signature as additional source
> in SPECs to
On Mon, 8 Jul 2013 23:15:05 +0200
Till Maas wrote:
> Hi,
>
> upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros
> at https://build.opensuse.org/package/show/Base:System/gpg-offline
>
> They allow to use a keyring and detached signature as additional
> source in SPECs to get b
On Mon, Jul 08, 2013 at 11:15:05PM +0200, Till Maas wrote:
> Hi,
>
> upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
> https://build.opensuse.org/package/show/Base:System/gpg-offline
>
> They allow to use a keyring and detached signature as additional source
> in SPECs to
Hi,
upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
https://build.opensuse.org/package/show/Base:System/gpg-offline
They allow to use a keyring and detached signature as additional source
in SPECs to get both verified. Since gpg-offline's upstream is willing
to create a p
14 matches
Mail list logo
