From: "Haelwenn (lanodan) Monnier" <contact@hacktivis.me>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support
Date: Wed, 8 Dec 2021 16:29:23 +0100 [thread overview]
Message-ID: <YbDPUzoV6IyMvbZR@cloudsdale.the-delta.net.eu.org> (raw)
[2021-12-08 19:28:24+0500] Anna Vyalkova:
> On 2021-12-08 13:54, Haelwenn (lanodan) Monnier wrote:
> > >+case ${VERIFY_SIG_IMPL} in
> > >+ gnupg)
> > >+ BDEPEND="
> > >+ verify-sig? (
> > >+ app-crypt/gnupg
> > >+ >=app-portage/gemato-16
> > >+ )"
> > >+ ;;
> > >+ signify)
> > >+ BDEPEND="verify-sig? ( app-crypt/signify )"
> >
> > Might be worth it to depend on app-crypt/minisign instead or depend on any.
> > minisign is already stabilized and I slightly prefer it's implementation over
> > the ported signify as there is no vendoring.
> > That said minisign could be considered bloated compared to signify.
>
> $ minisign -Vp /usr/share/openpgp-keys/gmid-1.7.pub -m SHA256 -x SHA256.sig -o
> Trusted signature comment should start with "trusted comment: "
>
> It doesn't work :/
> Also it has no "verify signed checksums list" mode.
Not sure what your files are but those two are definitely bugs in minisign. :/
> > >+ case ${VERIFY_SIG_IMPL} in
> > >+ gnupg)
> > >+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
> > >+ gpg --verify "${sig}" "${file}" ||
> > >+ die "PGP signature verification failed"
> > >+ ;;
> > >+ signify)
> > >+ signify -V -p "${key}" -m "${file}" -x "${sig}" ||
> > >+ die "PGP signature verification failed"
> >
> > Should be something like "Signify signature verification failed".
>
> It's still PGP, so the message is accurate. Having different messages
> would be inconsistent. That's what I think.
Nah, signify has nothing to do with OpenPGP, they are entirely different.
OpenPGP is defined in RFC4880 and is implemented by PGP, GnuPG and NetPGP.
It notably has non-rotable identity keys, subkeys, keyservers and a web-of-trust.
Signify is just barebones signatures from one simple key, with rotation being
intended and no designed network protocol.
See https://flak.tedunangst.com/post/signify for details.
next reply other threads:[~2021-12-08 15:29 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-08 15:29 Haelwenn (lanodan) Monnier [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-12-08 2:54 [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support Anna Vyalkova
2021-12-08 12:54 ` Haelwenn (lanodan) Monnier
2021-12-08 14:28 ` Anna Vyalkova
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YbDPUzoV6IyMvbZR@cloudsdale.the-delta.net.eu.org \
--to=contact@hacktivis.me \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox