Ben Beasley wrote: > Please see https://src.fedoraproject.org/rpms/xfontsel/blob/a38f5a42fa7bc59378527cf05dabe29523675613/f/xfontsel.spec#_10 for an example from the same group of X11 programs. What's described there is known as TOFU – trust on first use. Ben looked up which key made the signature, downloaded that key and added it to the Git repository. Initially this adds no security, as all that can be verified is that the tarball was signed by whoever signed it. The value of TOFU comes when the same key is used to verify another tarball. As long as the key in the Git repository remains unchanged, the signature verification can prove that each new release of Xfontsel is signed by the same person who signed the earlier releases. In this case I see that Oclock and Xfontsel are signed with the same key. That seems quite legitimate as both tarballs are from www.x.org. Instead of doing another, separate TOFU, you should copy Ben's xfontsel.gpg from the xfontsel Git repository. That way your initial Oclock package is not a first use of the key, but a second use, and when you invoke gpgverify it will prove that the Oclock tarball was signed by the same person who signed the Xfontsel tarball. Once you have the key, remember to pass all three parameters to gpgverify: --keyring, --signature and --data. Björn Persson
Attachment:
pgpdsUtmhEDrR.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
