On Fri, Oct 11, 2013 at 3:32 PM, Zbigniew Jędrzejewski-Szmek
<zbyszek@xxxxxxxxx> wrote:
>> gpgv --homedir /tmp --keyring %{SOURCE2} --status-fd=1 %{SOURCE1}
>> %{SOURCE0} | grep -q '^\[GNUPG:\] GOODSIG'
>
> Does this allow anyone on the same machine with access to /tmp to
> confuse/take over gpgv?
That's just an example -- gpgv doesn't appear to have the
"--no-default-keyring", so you should point --homedir to any location
where there isn't a pubring.gpg file (or you can mktemp -d one, to be
extra safe). In kup, we create a safe tempdir as part of the overall
operation and pass that as the homedir.
Since we're talking about this in the rpm spec context, "--homedir
%{buildroot}" would do the trick, since it's destroyed before each rpm
build.
Regards,
--
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
