On Thu, 2008-12-11 at 13:32 -0700, LuKreme wrote:
> > It's almost like "Just download this key file and you'll be fine. Don't
> > worry about where it came from, just put it in your keyring."
>
> Not at all, I KNOW where the gpg.key came from, because I downloaded
> it. And it came from the same server as the rules are coming.
>
> > The point is that at some point you have to trust the source to give you
> > the correct information. (Which, in the case of an encryption key or
> > key id, will look like a bunch of random numbers)
>
> The KeyID is coming from who knows where.
No. It is part of the key. We've covered that basic GPG intro already.
Also, usually, the instructions for third-party rules telling you about
the entire sa-update command to run are located on the same server as
you got the key from. Yeah, that's "who knows where" alright...
[ snipp ]
> Or is it that checking multiple keys is so expensive that you are
> trying to save the server massive processing by telling it which key
> to check with? That at least might make some sense, but I've not
> noticed key checking taking a lot of processing.
The *client* is verifying the signed update. No additional load on the
server at all.
> On 11-Dec-2008, at 08:31, Kai Schaetzl wrote:
> > Karsten Bräckelmann wrote on Thu, 11 Dec 2008 12:48:34 +0100:
> >
> >> A quick glimpsing of the man page tells me to use this:
> >> gpg --list-keys --no-default-keyring --keyring sa-update-keys/
> >> pubring.gpg
> >
> > For me, too. Either cd to /etc/mail/spamassassin or add it to the
> > path, though ;-)
>
> The gpg installed on my FreeBSD does not have a man page (installed by
> ports for SA3.2.5, IIRC), just a --help which says the syntax is:
Did you ever try googling for "man gpg"? Dude, this is quite a lame
excuse... Anyway, if you got gpg, but no man-pages, I'd complain loudly
to my $vendor.
> It does, further down, say:
> --list-keys [names] show keys
>
> but there is no indication of what is meant by [names]
IIRC (too lazy to look up the details for you) it accepts key IDs,
fingerprints, email-addresses, names, and any substring at least of the
latter two. Did you try it? It's enlightening...
> I'm just saying the current state of the documentation on this is
> poor, requires a level of implicit trust of the -gpgkey value that
> should not be necessary with gpg keys, and it down-right confusing to
> anyone looking at it for the first time who is not willing to simply
> plug-n-play with someone else's config.
...or read the documentation.
This is Open Source. Patches accepted. Yes, documentation patches
accepted. Wait, there are lots of docs in a *wiki*... Just do it, no
patch required.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
