[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: thoughts on signature verification

[ no need to CC me either, btw ]

On Thu, 2002-08-08 at 09:19, Ben Collins wrote:
> On Thu, Aug 08, 2002 at 01:04:34AM -0400, Colin Walters wrote:
> > So, one of the things I want to do for the new dpkg-source is to
> > actually verify signatures on source packages.  I noticed debsigs and
> > debsig-verify, but they appear to only operate on .deb packages.
> What else do you need? The .dsc is just signed. All you need to do is
> check the sig with gpg.

Well we at least need to check the signature against multiple keyrings. 
I guess that code would just be:

gpgv --keyring /usr/share/keyrings/debian-keyring.gpg \
     --keyring /usr/share/keyrings/debian-keyring.pgp \
     --keyring /etc/dpkg/local-keyring.gpg "$@"

Or we could go with aj's method of listing the keyrings in a file (which
I actually like better, now that I think about it).  I just think it
would be nice to share this code somehow, because debsig-verify should
by default check against the same set of keyrings.

Reply to: