Julian - I hadn't realised there are two gpgv's! Having found apt's own /usr/lib/methods/gpgv
I have been able to create a shell wrapper that can feed it the expected request headers and parse the response headers to ensure a GPGVOutput: GOODSIG ... It's a proof of concept right now; if this approach is preferred then I'll tidy it up and publish. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ubuntu-keyring in Ubuntu. https://bugs.launchpad.net/bugs/1801762 Title: Dual-signed things should be easy to verify with one key Status in apt package in Ubuntu: New Status in debmirror package in Ubuntu: New Status in gnupg2 package in Ubuntu: New Status in ubuntu-keyring package in Ubuntu: New Status in ubuntu-release-upgrader package in Ubuntu: New Bug description: As part of Ubuntu key rotation strategy, we rely on dual-signing (inline, or detached) such that validation with at least one key available in a keyring should be trusted, without using web-of-trust. However, it seems to be only correctly so far implemented by the apt's gpgv method. Ideally, we should ship an easy enough to use the helper that is `like gpgv` to use, and possibly reusing apt's gpgv code and/or exposing it via apt-key's verify. The problem seems to be that 1 good sig + 1 no public key available, results in gpgv exiting with 2, instead of 0 or 1. Ideally it should be easy enough to use gpgv/gpg to verify that at least one signature is good, and decrypt/extract signed contents only. More details and reproducers to follow. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1801762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
