On Tue, Oct 08, 2013 at 10:22:57AM -0400, Konstantin Ryabitsev wrote: > On Wed, Jul 10, 2013 at 6:01 PM, Brian C. Lane <bcl@xxxxxxxxxx> wrote: > > In parted we have a signed upstream package and a detached signature. In > > the pkg git we have the signer's public key and in %prep it runs gpg. > > > > Source0: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz > > Source1: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz.sig > > Source2: pubkey.jim.meyering > > > > gpg --import %{SOURCE2} > > gpg --verify %{SOURCE1} %{SOURCE0} > > > > What does gpg-offline add to this? > > Sorry to jump on a very old thread, but I just saw this and want to > add the following comments: > gpg --verify (and gpgv) will return 0 even if the key is revoked or > expired, so you can't really rely on exit code alone. The following is > the right approach: > > gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1} > %{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG' Does this allow anyone on the same machine with access to /tmp to confuse/take over gpgv? Zbyszek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
