* Re: [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support
@ 2021-12-08 15:29 99% Haelwenn (lanodan) Monnier
0 siblings, 0 replies; 1+ results
From: Haelwenn (lanodan) Monnier @ 2021-12-08 15:29 UTC (permalink / raw
To: gentoo-dev
[2021-12-08 19:28:24+0500] Anna Vyalkova:
> On 2021-12-08 13:54, Haelwenn (lanodan) Monnier wrote:
> > >+case ${VERIFY_SIG_IMPL} in
> > >+ gnupg)
> > >+ BDEPEND="
> > >+ verify-sig? (
> > >+ app-crypt/gnupg
> > >+ >=app-portage/gemato-16
> > >+ )"
> > >+ ;;
> > >+ signify)
> > >+ BDEPEND="verify-sig? ( app-crypt/signify )"
> >
> > Might be worth it to depend on app-crypt/minisign instead or depend on any.
> > minisign is already stabilized and I slightly prefer it's implementation over
> > the ported signify as there is no vendoring.
> > That said minisign could be considered bloated compared to signify.
>
> $ minisign -Vp /usr/share/openpgp-keys/gmid-1.7.pub -m SHA256 -x SHA256.sig -o
> Trusted signature comment should start with "trusted comment: "
>
> It doesn't work :/
> Also it has no "verify signed checksums list" mode.
Not sure what your files are but those two are definitely bugs in minisign. :/
> > >+ case ${VERIFY_SIG_IMPL} in
> > >+ gnupg)
> > >+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
> > >+ gpg --verify "${sig}" "${file}" ||
> > >+ die "PGP signature verification failed"
> > >+ ;;
> > >+ signify)
> > >+ signify -V -p "${key}" -m "${file}" -x "${sig}" ||
> > >+ die "PGP signature verification failed"
> >
> > Should be something like "Signify signature verification failed".
>
> It's still PGP, so the message is accurate. Having different messages
> would be inconsistent. That's what I think.
Nah, signify has nothing to do with OpenPGP, they are entirely different.
OpenPGP is defined in RFC4880 and is implemented by PGP, GnuPG and NetPGP.
It notably has non-rotable identity keys, subkeys, keyservers and a web-of-trust.
Signify is just barebones signatures from one simple key, with rotation being
intended and no designed network protocol.
See https://flak.tedunangst.com/post/signify for details.
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2021-12-08 15:29 99% [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support Haelwenn (lanodan) Monnier
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox