On Wed, Jul 10, 2013 at 6:01 PM, Brian C. Lane <bcl@xxxxxxxxxx> wrote: > In parted we have a signed upstream package and a detached signature. In > the pkg git we have the signer's public key and in %prep it runs gpg. > > Source0: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz > Source1: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz.sig > Source2: pubkey.jim.meyering > > gpg --import %{SOURCE2} > gpg --verify %{SOURCE1} %{SOURCE0} > > What does gpg-offline add to this? Sorry to jump on a very old thread, but I just saw this and want to add the following comments: gpg --verify (and gpgv) will return 0 even if the key is revoked or expired, so you can't really rely on exit code alone. The following is the right approach: gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1} %{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG' The pubkey (source2) format has to be an actual keyring (gpg --export keyid > keyring.gpg), not an ascii pubkey block. That one-liner is pretty much all that's required for valid gpg verification. Hope this helps. Best, -- Konstantin Ryabitsev LinuxFoundation.org Montréal, Québec -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct