Re: thoughts on signature verification
[ no need to CC me either, btw ]
On Thu, 2002-08-08 at 09:19, Ben Collins wrote:
> On Thu, Aug 08, 2002 at 01:04:34AM -0400, Colin Walters wrote:
> > So, one of the things I want to do for the new dpkg-source is to
> > actually verify signatures on source packages. I noticed debsigs and
> > debsig-verify, but they appear to only operate on .deb packages.
> What else do you need? The .dsc is just signed. All you need to do is
> check the sig with gpg.
Well we at least need to check the signature against multiple keyrings.
I guess that code would just be:
gpgv --keyring /usr/share/keyrings/debian-keyring.gpg \
--keyring /usr/share/keyrings/debian-keyring.pgp \
--keyring /etc/dpkg/local-keyring.gpg "$@"
Or we could go with aj's method of listing the keyrings in a file (which
I actually like better, now that I think about it). I just think it
would be nice to share this code somehow, because debsig-verify should
by default check against the same set of keyrings.