[pacman-dev] GPG remote signing
Denis A. Altoé Falqueto
denisfalqueto at gmail.com
Fri Jun 10 21:20:45 EDT 2011
On Fri, Jun 10, 2011 at 7:45 PM, Dan McGee <dpmcgee at gmail.com> wrote:
> Thoughts? Other ideas? Things I'm forgetting? I'll withhold my
> preference of option for now to prevent biasing any comments; the
> above should not be seen as order of preference.
I've had the following idea since when I started to help, but never
really tested it. I did it now and it worked. What do you think?
High lever explanation:
1. grab a remote lock by creating a lock directory
2. if previous command succeeded
2.1. locally, scp the repository db file from the remote machine
to the local one
2.2. sign the file locally
2.3. send the signature back to remote
2.4. release the lock
Test implementation:
#!/bin/bash
host="some remote host"
lock="name of lock directory"
filetosign="full path of remote file to sign"
ssh "$host" "mkdir $lock" || res=$?
if [[ -z $res ]] ; then
localfile=$(mktemp)
scp "$host":"$filetosign" "${localfile}"
gpg --detach-sign "${localfile}"
scp "${localfile}".sig "${host}":"${filetosign}".sig
ssh "${host}" "rmdir ${lock}"
fi
I've tested it here and it signed a file from my own machine through
ssh. It had lots of password typing, but that's because I don't use
public key authentication (I don't even start ssh automatically :))
--
A: Because it obfuscates the reading.
Q: Why is top posting so bad?
-------------------------------------------
Denis A. Altoe Falqueto
Linux user #524555
-------------------------------------------
More information about the pacman-dev
mailing list