[pacman-dev] [PATCH] makepkg: add flag 'recvkeys' to retrieve PGP keys from 'validpgpkeys' in PKGBUILDs
This makes automating PGP keys for verifying source file signatures possible.
This may make it easier for package users and maintainers to obtain PGP keys used in PKGBUILDs.
Signed-off-by: Alli
Hi, Le 03/04/2017 à 18:37, alzeih@gmail.com a écrit :
This makes automating PGP keys for verifying source file signatures possible.
This may make it easier for package users and maintainers to obtain PGP keys used in PKGBUILDs.
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow. Regards, Bruno
On 04/04/17 11:45, Bruno Pagani wrote:
Hi,
Le 03/04/2017 à 18:37, alzeih@gmail.com a écrit :
This makes automating PGP keys for verifying source file signatures possible.
This may make it easier for package users and maintainers to obtain PGP keys used in PKGBUILDs.
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow.
Given this feature exists, I will not be adding this option to makepkg. Allan
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow.
Okay, I didn't know about this feature of gnupg, so thanks for that. Pacman seems to have a feature of downloading required PGP keys on demand, so I was going for something similar in the user experience with makepkg. It still might be useful for AUR maintainers as a one liner of how to fix PGP signature errors seen by users? Certainly easier to find than the above setting. As for automation, the above setting is a couple of extra steps but that's probably fine (with automation). Thanks, Alli
Le 03/04/2017 à 19:02, Alli a écrit :
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow. Okay, I didn't know about this feature of gnupg, so thanks for that.
Pacman seems to have a feature of downloading required PGP keys on demand, so I was going for something similar in the user experience with makepkg.
It still might be useful for AUR maintainers as a one liner of how to fix PGP signature errors seen by users? Certainly easier to find than the above setting.
I think that all uses cases can come with a solution without having to modify makepkg. The one you describe means that people don’t really care about checking the keys by themselves, so the AUR helper they use could probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
On 04/04/17 12:43, Bruno Pagani wrote:
Le 03/04/2017 à 19:02, Alli a écrit :
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow. Okay, I didn't know about this feature of gnupg, so thanks for that.
Pacman seems to have a feature of downloading required PGP keys on demand, so I was going for something similar in the user experience with makepkg.
It still might be useful for AUR maintainers as a one liner of how to fix PGP signature errors seen by users? Certainly easier to find than the above setting.
I think that all uses cases can come with a solution without having to modify makepkg. The one you describe means that people don’t really care about checking the keys by themselves, so the AUR helper they use could probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
What is there to check? You are not explicitly trusting the key in your keyring - only downloading it. makepkg then confirms the key matches the fingerprint given to determine it is the key "trusted" by the packager. A
On Tue, 4 Apr 2017 at 14:41 Bruno Pagani
probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
Setting GNUPGHOME allows for a separate keyring if that's wanted. It's required when building as a user without a home directory (eg: nobody). I'm not using an AUR helper so without the above patch I need to make gnupg create the appropriate files ($GNUPGHOME/gpg.conf), edit the config, then run makepkg.
Le 03/04/2017 à 19:46, Allan McRae a écrit :
On 04/04/17 12:43, Bruno Pagani wrote:
Le 03/04/2017 à 19:02, Alli a écrit :
Are you aware of the |keyserver-options auto-key-retrieve| from GPG? I don’t say that this patch is useless, but just that this feature already exists elsewhere somehow. Okay, I didn't know about this feature of gnupg, so thanks for that.
Pacman seems to have a feature of downloading required PGP keys on demand, so I was going for something similar in the user experience with makepkg.
It still might be useful for AUR maintainers as a one liner of how to fix PGP signature errors seen by users? Certainly easier to find than the above setting. I think that all uses cases can come with a solution without having to modify makepkg. The one you describe means that people don’t really care about checking the keys by themselves, so the AUR helper they use could probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
What is there to check? You are not explicitly trusting the key in your keyring - only downloading it. makepkg then confirms the key matches the fingerprint given to determine it is the key "trusted" by the packager.
A
You might not trust the packager/maintainer. You might want to check this is the right key by looking at the sigs, checking whether you have a path to it, or whatever. I’ve also seen people using --lsign, but not sure why. But my point here is more that you might want to have automatic key retrieval for makepkg but not for other PGP uses for whatever reason. But this is solved by a separated GNUPGHOME. So no reason to discuss it further, since in the end we both agree that there is no reason to bake that into makepkg. Bruno
Le 03/04/2017 à 20:03, Alli a écrit :
On Tue, 4 Apr 2017 at 14:41 Bruno Pagani
wrote: ... probably use a separated GPG keyring/db with this option set (not sure if that’s easy to do/configure, but it probably should).
Setting GNUPGHOME allows for a separate keyring if that's wanted.
It's required when building as a user without a home directory (eg: nobody).
I'm not using an AUR helper so without the above patch I need to make gnupg create the appropriate files ($GNUPGHOME/gpg.conf), edit the config, then run makepkg.
Then you only have to set it once, and then just alias makepkg or write a wrapper setting this var. Bruno
participants (4)
-
Allan McRae
-
Alli
-
alzeih@gmail.com
-
Bruno Pagani