public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support
@ 2021-12-08 15:29 99% Haelwenn (lanodan) Monnier
  0 siblings, 0 replies; 1+ results
From: Haelwenn (lanodan) Monnier @ 2021-12-08 15:29 UTC (permalink / raw
  To: gentoo-dev

[2021-12-08 19:28:24+0500] Anna Vyalkova:
> On 2021-12-08 13:54, Haelwenn (lanodan) Monnier wrote:
> > >+case ${VERIFY_SIG_IMPL} in
> > >+	gnupg)
> > >+		BDEPEND="
> > >+			verify-sig? (
> > >+				app-crypt/gnupg
> > >+				>=app-portage/gemato-16
> > >+			)"
> > >+		;;
> > >+	signify)
> > >+		BDEPEND="verify-sig? ( app-crypt/signify )"
> > 
> > Might be worth it to depend on app-crypt/minisign instead or depend on any.
> > minisign is already stabilized and I slightly prefer it's implementation over
> > the ported signify as there is no vendoring.
> > That said minisign could be considered bloated compared to signify.
> 
> $ minisign -Vp /usr/share/openpgp-keys/gmid-1.7.pub -m SHA256 -x SHA256.sig -o
> Trusted signature comment should start with "trusted comment: "
> 
> It doesn't work :/
> Also it has no "verify signed checksums list" mode.

Not sure what your files are but those two are definitely bugs in minisign. :/

> > >+	case ${VERIFY_SIG_IMPL} in
> > >+		gnupg)
> > >+			gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
> > >+				gpg --verify "${sig}" "${file}" ||
> > >+				die "PGP signature verification failed"
> > >+			;;
> > >+		signify)
> > >+			signify -V -p "${key}" -m "${file}" -x "${sig}" ||
> > >+				die "PGP signature verification failed"
> > 
> > Should be something like "Signify signature verification failed".
> 
> It's still PGP, so the message is accurate. Having different messages
> would be inconsistent. That's what I think.

Nah, signify has nothing to do with OpenPGP, they are entirely different.

OpenPGP is defined in RFC4880 and is implemented by PGP, GnuPG and NetPGP.
It notably has non-rotable identity keys, subkeys, keyservers and a web-of-trust.

Signify is just barebones signatures from one simple key, with rotation being
intended and no designed network protocol.
See https://flak.tedunangst.com/post/signify for details.


^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2021-12-08 15:29 99% [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support Haelwenn (lanodan) Monnier

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox