Re: thoughts on signature verification

To: debian-dpkg@lists.debian.org
Subject: Re: thoughts on signature verification
From: Colin Walters <walters@debian.org>
Date: 08 Aug 2002 13:30:09 -0400
Message-id: <[🔎] 1028827809.13720.23.camel@space-ghost>
In-reply-to: <[🔎] 20020808131932.GM9791@phunnypharm.org>
References: <[🔎] 1028783074.9642.24.camel@space-ghost> <[🔎] 20020808131932.GM9791@phunnypharm.org>

[ no need to CC me either, btw ]

On Thu, 2002-08-08 at 09:19, Ben Collins wrote:
> On Thu, Aug 08, 2002 at 01:04:34AM -0400, Colin Walters wrote:
> > So, one of the things I want to do for the new dpkg-source is to
> > actually verify signatures on source packages.  I noticed debsigs and
> > debsig-verify, but they appear to only operate on .deb packages.
> 
> What else do you need? The .dsc is just signed. All you need to do is
> check the sig with gpg.

Well we at least need to check the signature against multiple keyrings. 
I guess that code would just be:

#!/bin/sh
gpgv --keyring /usr/share/keyrings/debian-keyring.gpg \
     --keyring /usr/share/keyrings/debian-keyring.pgp \
     --keyring /etc/dpkg/local-keyring.gpg "$@"

Or we could go with aj's method of listing the keyrings in a file (which
I actually like better, now that I think about it).  I just think it
would be nice to share this code somehow, because debsig-verify should
by default check against the same set of keyrings.

Reply to:

References:
- thoughts on signature verification
  - From: Colin Walters <walters@debian.org>
- Re: thoughts on signature verification
  - From: Ben Collins <bcollins@debian.org>

Prev by Date: Bug#155676: patch] dynamic sha1sums generation
Next by Date: Re: thoughts on signature verification
Previous by thread: Re: thoughts on signature verification
Next by thread: Why does dpkg package depend on dselect?
Index(es):
- Date
- Thread