* Re: [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support
@ 2021-12-08 15:29 Haelwenn (lanodan) Monnier
0 siblings, 0 replies; 4+ messages in thread
From: Haelwenn (lanodan) Monnier @ 2021-12-08 15:29 UTC (permalink / raw
To: gentoo-dev
[2021-12-08 19:28:24+0500] Anna Vyalkova:
> On 2021-12-08 13:54, Haelwenn (lanodan) Monnier wrote:
> > >+case ${VERIFY_SIG_IMPL} in
> > >+ gnupg)
> > >+ BDEPEND="
> > >+ verify-sig? (
> > >+ app-crypt/gnupg
> > >+ >=app-portage/gemato-16
> > >+ )"
> > >+ ;;
> > >+ signify)
> > >+ BDEPEND="verify-sig? ( app-crypt/signify )"
> >
> > Might be worth it to depend on app-crypt/minisign instead or depend on any.
> > minisign is already stabilized and I slightly prefer it's implementation over
> > the ported signify as there is no vendoring.
> > That said minisign could be considered bloated compared to signify.
>
> $ minisign -Vp /usr/share/openpgp-keys/gmid-1.7.pub -m SHA256 -x SHA256.sig -o
> Trusted signature comment should start with "trusted comment: "
>
> It doesn't work :/
> Also it has no "verify signed checksums list" mode.
Not sure what your files are but those two are definitely bugs in minisign. :/
> > >+ case ${VERIFY_SIG_IMPL} in
> > >+ gnupg)
> > >+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
> > >+ gpg --verify "${sig}" "${file}" ||
> > >+ die "PGP signature verification failed"
> > >+ ;;
> > >+ signify)
> > >+ signify -V -p "${key}" -m "${file}" -x "${sig}" ||
> > >+ die "PGP signature verification failed"
> >
> > Should be something like "Signify signature verification failed".
>
> It's still PGP, so the message is accurate. Having different messages
> would be inconsistent. That's what I think.
Nah, signify has nothing to do with OpenPGP, they are entirely different.
OpenPGP is defined in RFC4880 and is implemented by PGP, GnuPG and NetPGP.
It notably has non-rotable identity keys, subkeys, keyservers and a web-of-trust.
Signify is just barebones signatures from one simple key, with rotation being
intended and no designed network protocol.
See https://flak.tedunangst.com/post/signify for details.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support
@ 2021-12-08 2:54 Anna Vyalkova
2021-12-08 12:54 ` Haelwenn (lanodan) Monnier
0 siblings, 1 reply; 4+ messages in thread
From: Anna Vyalkova @ 2021-12-08 2:54 UTC (permalink / raw
To: gentoo-dev
It is useful for verifying distfiles that come from OpenBSD folks since
signify produces signatures incompatible with GnuPG.
Signed-off-by: Anna Vyalkova <cyber+gentoo@sysrq.in>
---
Feel free to edit this patch or leave suggestions if you think I've done
something wrong.
I've tested this eclass with both gnupg and signify signatures but more
testing won't hurt (to make sure I didn't break anything).
If this patch is accepted, some developer will need to commit it.
eclass/verify-sig.eclass | 138 +++++++++++++++++++++++++++++----------
1 file changed, 105 insertions(+), 33 deletions(-)
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 2bc5bd5ddba..d3d2326a3bc 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -1,265 +1,337 @@
# Copyright 2020-2021 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
# @ECLASS: verify-sig.eclass
# @MAINTAINER:
# Michał Górny <mgorny@gentoo.org>
# @SUPPORTED_EAPIS: 7 8
# @BLURB: Eclass to verify upstream signatures on distfiles
# @DESCRIPTION:
# verify-sig eclass provides a streamlined approach to verifying
# upstream signatures on distfiles. Its primary purpose is to permit
# developers to easily verify signatures while bumping packages.
# The eclass removes the risk of developer forgetting to perform
# the verification, or performing it incorrectly, e.g. due to additional
# keys in the local keyring. It also permits users to verify
# the developer's work.
#
# To use the eclass, start by packaging the upstream's key
# as app-crypt/openpgp-keys-*. Then inherit the eclass, add detached
# signatures to SRC_URI and set VERIFY_SIG_OPENPGP_KEY_PATH. The eclass
# provides verify-sig USE flag to toggle the verification.
#
+# If you need to use signify, you may want to copy distfiles into WORKDIR to
+# work around "Too many levels of symbolic links" error.
+# @EXAMPLE:
# Example use:
+#
# @CODE
# inherit verify-sig
#
# SRC_URI="https://example.org/${P}.tar.gz
# verify-sig? ( https://example.org/${P}.tar.gz.sig )"
# BDEPEND="
# verify-sig? ( app-crypt/openpgp-keys-example )"
#
# VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/example.asc
# @CODE
case ${EAPI} in
7|8) ;;
*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
esac
EXPORT_FUNCTIONS src_unpack
if [[ ! ${_VERIFY_SIG_ECLASS} ]]; then
IUSE="verify-sig"
-BDEPEND="
- verify-sig? (
- app-crypt/gnupg
- >=app-portage/gemato-16
- )"
+# @ECLASS-VARIABLE: VERIFY_SIG_IMPL
+# @PRE_INHERIT
+# @DESCRIPTION:
+# OpenPGP implementation to use. Valid options: "gnupg" and "signify".
+: ${VERIFY_SIG_IMPL:=gnupg}
+
+case ${VERIFY_SIG_IMPL} in
+ gnupg)
+ BDEPEND="
+ verify-sig? (
+ app-crypt/gnupg
+ >=app-portage/gemato-16
+ )"
+ ;;
+ signify)
+ BDEPEND="verify-sig? ( app-crypt/signify )"
+ ;;
+ *)
+ die "${ECLASS}: unknown OpenPGP implementation '${VERIFY_SIG_IMPL}'"
+ ;;
+esac
# @ECLASS-VARIABLE: VERIFY_SIG_OPENPGP_KEY_PATH
# @DEFAULT_UNSET
# @DESCRIPTION:
# Path to key bundle used to perform the verification. This is required
# when using default src_unpack. Alternatively, the key path can be
# passed directly to the verification functions.
# @ECLASS-VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER
# @DEFAULT_UNSET
# @DESCRIPTION:
# Keyserver used to refresh keys. If not specified, the keyserver
# preference from the key will be respected. If no preference
-# is specified by the key, the GnuPG default will be used.
+# is specified by the key, the GnuPG default will be used. Supported for GnuPG
+# only.
# @ECLASS-VARIABLE: VERIFY_SIG_OPENPGP_KEY_REFRESH
# @USER_VARIABLE
# @DESCRIPTION:
# Attempt to refresh keys via WKD/keyserver. Set it to "yes"
# in make.conf to enable. Note that this requires working Internet
-# connection.
+# connection. Supported for GnuPG only.
: ${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}
# @FUNCTION: verify-sig_verify_detached
# @USAGE: <file> <sig-file> [<key-file>]
# @DESCRIPTION:
# Read the detached signature from <sig-file> and verify <file> against
# it. <key-file> can either be passed directly, or it defaults
# to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification
# fails.
verify-sig_verify_detached() {
local file=${1}
local sig=${2}
local key=${3:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
[[ -n ${key} ]] ||
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
local extra_args=()
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
- [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
- --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
- )
+ if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
+ [[ ${VERIFY_SIG_IMPL} == gnupg ]] ||
+ die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
+
+ extra_args+=(
+ --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
+ )
+ fi
# GPG upstream knows better than to follow the spec, so we can't
# override this directory. However, there is a clean fallback
# to GNUPGHOME.
addpredict /run/user
local filename=${file##*/}
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
- gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
- gpg --verify "${sig}" "${file}" ||
- die "PGP signature verification failed"
+ case ${VERIFY_SIG_IMPL} in
+ gnupg)
+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
+ gpg --verify "${sig}" "${file}" ||
+ die "PGP signature verification failed"
+ ;;
+ signify)
+ signify -V -p "${key}" -m "${file}" -x "${sig}" ||
+ die "PGP signature verification failed"
+ ;;
+ esac
}
# @FUNCTION: verify-sig_verify_message
# @USAGE: <file> <output-file> [<key-file>]
# @DESCRIPTION:
# Verify that the file ('-' for stdin) contains a valid, signed PGP
# message and write the message into <output-file> ('-' for stdout).
# <key-file> can either be passed directly, or it defaults
# to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification
# fails. Note that using output from <output-file> is important as it
# prevents the injection of unsigned data.
verify-sig_verify_message() {
local file=${1}
local output_file=${2}
local key=${3:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
[[ -n ${key} ]] ||
die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
local extra_args=()
[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
- [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
- --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
- )
+ if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
+ [[ ${VERIFY_SIG_IMPL} == gnupg ]] ||
+ die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
+
+ extra_args+=(
+ --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
+ )
+ fi
# GPG upstream knows better than to follow the spec, so we can't
# override this directory. However, there is a clean fallback
# to GNUPGHOME.
addpredict /run/user
local filename=${file##*/}
[[ ${file} == - ]] && filename='(stdin)'
einfo "Verifying ${filename} ..."
- gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
- gpg --verify --output="${output_file}" "${file}" ||
- die "PGP signature verification failed"
+ case ${VERIFY_SIG_IMPL} in
+ gnupg)
+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
+ gpg --verify --output="${output_file}" "${file}" ||
+ die "PGP signature verification failed"
+ ;;
+ signify)
+ signify -V -e -p "${key}" -m "${output_file}" -x "${file}" ||
+ die "PGP signature verification failed"
+ ;;
+ esac
}
-# @FUNCTION: verify-sig_verify_signed_checksums
+# @FUNCTION: _gpg_verify_signed_checksums
+# @INTERNAL
# @USAGE: <checksum-file> <algo> <files> [<key-file>]
# @DESCRIPTION:
-# Verify the checksums for all files listed in the space-separated list
-# <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo>
-# specified the checksum algorithm (e.g. sha256). <key-file> can either
-# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.
-#
-# The function dies if PGP verification fails, the checksum file
-# contains unsigned data, one of the files do not match checksums
-# or are missing from the checksum file.
-verify-sig_verify_signed_checksums() {
+# GnuPG-specific function to verify a signed checksums list.
+_gpg_verify_signed_checksums() {
local checksum_file=${1}
local algo=${2}
local files=()
read -r -d '' -a files <<<"${3}"
local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
-
local chksum_prog chksum_len
+
case ${algo} in
sha256)
chksum_prog=sha256sum
chksum_len=64
;;
*)
die "${FUNCNAME}: unknown checksum algo ${algo}"
;;
esac
- [[ -n ${key} ]] ||
- die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
-
local checksum filename junk ret=0 count=0
while read -r checksum filename junk; do
[[ ${#checksum} -eq ${chksum_len} ]] || continue
[[ -z ${checksum//[0-9a-f]} ]] || continue
has "${filename}" "${files[@]}" || continue
[[ -z ${junk} ]] || continue
"${chksum_prog}" -c --strict - <<<"${checksum} ${filename}"
if [[ ${?} -eq 0 ]]; then
(( count++ ))
else
ret=1
fi
done < <(verify-sig_verify_message "${checksum_file}" - "${key}")
[[ ${ret} -eq 0 ]] ||
die "${FUNCNAME}: at least one file did not verify successfully"
[[ ${count} -eq ${#files[@]} ]] ||
die "${FUNCNAME}: checksums for some of the specified files were missing"
}
+# @FUNCTION: verify-sig_verify_signed_checksums
+# @USAGE: <checksum-file> <algo> <files> [<key-file>]
+# @DESCRIPTION:
+# Verify the checksums for all files listed in the space-separated list
+# <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo>
+# specified the checksum algorithm (e.g. sha256). <key-file> can either
+# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.
+#
+# The function dies if PGP verification fails, the checksum file
+# contains unsigned data, one of the files do not match checksums
+# or are missing from the checksum file.
+verify-sig_verify_signed_checksums() {
+ local checksum_file=${1}
+ local algo=${2}
+ local files=()
+ read -r -d '' -a files <<<"${3}"
+ local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
+
+ [[ -n ${key} ]] ||
+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
+
+ case ${VERIFY_SIG_IMPL} in
+ gnupg)
+ _gpg_verify_signed_checksums \
+ "${checksum_file}" "${algo}" "${files[@]}" "${key}"
+ ;;
+ signify)
+ signify -C -p "${key}" \
+ -x "${checksum_file}" "${files[@]}" ||
+ die "PGP signature verification failed"
+ ;;
+ esac
+}
+
# @FUNCTION: verify-sig_src_unpack
# @DESCRIPTION:
# Default src_unpack override that verifies signatures for all
# distfiles if 'verify-sig' flag is enabled. The function dies if any
# of the signatures fails to verify or if any distfiles are not signed.
# Please write src_unpack() yourself if you need to perform partial
# verification.
verify-sig_src_unpack() {
if use verify-sig; then
local f suffix found
local distfiles=() signatures=() nosigfound=() straysigs=()
# find all distfiles and signatures, and combine them
for f in ${A}; do
found=
for suffix in .asc .sig; do
if [[ ${f} == *${suffix} ]]; then
signatures+=( "${f}" )
found=sig
break
else
if has "${f}${suffix}" ${A}; then
distfiles+=( "${f}" )
found=dist+sig
break
fi
fi
done
if [[ ! ${found} ]]; then
nosigfound+=( "${f}" )
fi
done
# check if all distfiles are signed
if [[ ${#nosigfound[@]} -gt 0 ]]; then
eerror "The following distfiles lack detached signatures:"
for f in "${nosigfound[@]}"; do
eerror " ${f}"
done
die "Unsigned distfiles found"
fi
# check if there are no stray signatures
for f in "${signatures[@]}"; do
if ! has "${f%.*}" "${distfiles[@]}"; then
straysigs+=( "${f}" )
fi
done
if [[ ${#straysigs[@]} -gt 0 ]]; then
eerror "The following signatures do not match any distfiles:"
for f in "${straysigs[@]}"; do
eerror " ${f}"
done
die "Unused signatures found"
fi
# now perform the verification
for f in "${signatures[@]}"; do
verify-sig_verify_detached \
"${DISTDIR}/${f%.*}" "${DISTDIR}/${f}"
done
fi
# finally, unpack the distfiles
default_src_unpack
}
_VERIFY_SIG_ECLASS=1
fi
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support
2021-12-08 2:54 Anna Vyalkova
@ 2021-12-08 12:54 ` Haelwenn (lanodan) Monnier
2021-12-08 14:28 ` Anna Vyalkova
0 siblings, 1 reply; 4+ messages in thread
From: Haelwenn (lanodan) Monnier @ 2021-12-08 12:54 UTC (permalink / raw
To: gentoo-dev
Nice patch, got few things that I think should be changed though:
[2021-12-08 07:54:04+0500] Anna Vyalkova:
>+case ${VERIFY_SIG_IMPL} in
>+ gnupg)
>+ BDEPEND="
>+ verify-sig? (
>+ app-crypt/gnupg
>+ >=app-portage/gemato-16
>+ )"
>+ ;;
>+ signify)
>+ BDEPEND="verify-sig? ( app-crypt/signify )"
Might be worth it to depend on app-crypt/minisign instead or depend on any.
minisign is already stabilized and I slightly prefer it's implementation over
the ported signify as there is no vendoring.
That said minisign could be considered bloated compared to signify.
> verify-sig_verify_detached() {
> local file=${1}
> local sig=${2}
> local key=${3:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
>
> [[ -n ${key} ]] ||
> die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
>
> local extra_args=()
> [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
>- [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
>- --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
>- )
>+ if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
>+ [[ ${VERIFY_SIG_IMPL} == gnupg ]] ||
>+ die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
>+
>+ extra_args+=(
>+ --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
>+ )
>+ fi
>
> # GPG upstream knows better than to follow the spec, so we can't
> # override this directory. However, there is a clean fallback
> # to GNUPGHOME.
> addpredict /run/user
>
> local filename=${file##*/}
> [[ ${file} == - ]] && filename='(stdin)'
> einfo "Verifying ${filename} ..."
>- gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
>- gpg --verify "${sig}" "${file}" ||
>- die "PGP signature verification failed"
>+ case ${VERIFY_SIG_IMPL} in
>+ gnupg)
>+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
>+ gpg --verify "${sig}" "${file}" ||
>+ die "PGP signature verification failed"
>+ ;;
>+ signify)
>+ signify -V -p "${key}" -m "${file}" -x "${sig}" ||
>+ die "PGP signature verification failed"
Should be something like "Signify signature verification failed".
>+ ;;
>+ esac
> }
>
> # @FUNCTION: verify-sig_verify_message
> # @USAGE: <file> <output-file> [<key-file>]
> # @DESCRIPTION:
> # Verify that the file ('-' for stdin) contains a valid, signed PGP
> # message and write the message into <output-file> ('-' for stdout).
> # <key-file> can either be passed directly, or it defaults
> # to VERIFY_SIG_OPENPGP_KEY_PATH. The function dies if verification
> # fails. Note that using output from <output-file> is important as it
> # prevents the injection of unsigned data.
> verify-sig_verify_message() {
> local file=${1}
> local output_file=${2}
> local key=${3:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
>
> [[ -n ${key} ]] ||
> die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
>
> local extra_args=()
> [[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
>- [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
>- --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
>- )
>+ if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
>+ [[ ${VERIFY_SIG_IMPL} == gnupg ]] ||
>+ die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
>+
>+ extra_args+=(
>+ --keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
>+ )
>+ fi
>
> # GPG upstream knows better than to follow the spec, so we can't
> # override this directory. However, there is a clean fallback
> # to GNUPGHOME.
> addpredict /run/user
>
> local filename=${file##*/}
> [[ ${file} == - ]] && filename='(stdin)'
> einfo "Verifying ${filename} ..."
>- gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
>- gpg --verify --output="${output_file}" "${file}" ||
>- die "PGP signature verification failed"
>+ case ${VERIFY_SIG_IMPL} in
>+ gnupg)
>+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
>+ gpg --verify --output="${output_file}" "${file}" ||
>+ die "PGP signature verification failed"
>+ ;;
>+ signify)
>+ signify -V -e -p "${key}" -m "${output_file}" -x "${file}" ||
>+ die "PGP signature verification failed"
Should be something like "Signify signature verification failed".
>+# @FUNCTION: verify-sig_verify_signed_checksums
>+# @USAGE: <checksum-file> <algo> <files> [<key-file>]
>+# @DESCRIPTION:
>+# Verify the checksums for all files listed in the space-separated list
>+# <files> (akin to ${A}) using a PGP-signed <checksum-file>. <algo>
>+# specified the checksum algorithm (e.g. sha256). <key-file> can either
>+# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.
>+#
>+# The function dies if PGP verification fails, the checksum file
>+# contains unsigned data, one of the files do not match checksums
>+# or are missing from the checksum file.
>+verify-sig_verify_signed_checksums() {
>+ local checksum_file=${1}
>+ local algo=${2}
>+ local files=()
>+ read -r -d '' -a files <<<"${3}"
>+ local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
>+
>+ [[ -n ${key} ]] ||
>+ die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
>+
>+ case ${VERIFY_SIG_IMPL} in
>+ gnupg)
>+ _gpg_verify_signed_checksums \
>+ "${checksum_file}" "${algo}" "${files[@]}" "${key}"
>+ ;;
>+ signify)
>+ signify -C -p "${key}" \
>+ -x "${checksum_file}" "${files[@]}" ||
>+ die "PGP signature verification failed"
Should be something like "Signify signature verification failed".
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support
2021-12-08 12:54 ` Haelwenn (lanodan) Monnier
@ 2021-12-08 14:28 ` Anna Vyalkova
0 siblings, 0 replies; 4+ messages in thread
From: Anna Vyalkova @ 2021-12-08 14:28 UTC (permalink / raw
To: gentoo-dev
On 2021-12-08 13:54, Haelwenn (lanodan) Monnier wrote:
> >+case ${VERIFY_SIG_IMPL} in
> >+ gnupg)
> >+ BDEPEND="
> >+ verify-sig? (
> >+ app-crypt/gnupg
> >+ >=app-portage/gemato-16
> >+ )"
> >+ ;;
> >+ signify)
> >+ BDEPEND="verify-sig? ( app-crypt/signify )"
>
> Might be worth it to depend on app-crypt/minisign instead or depend on any.
> minisign is already stabilized and I slightly prefer it's implementation over
> the ported signify as there is no vendoring.
> That said minisign could be considered bloated compared to signify.
$ minisign -Vp /usr/share/openpgp-keys/gmid-1.7.pub -m SHA256 -x SHA256.sig -o
Trusted signature comment should start with "trusted comment: "
It doesn't work :/
Also it has no "verify signed checksums list" mode.
> >+ case ${VERIFY_SIG_IMPL} in
> >+ gnupg)
> >+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
> >+ gpg --verify "${sig}" "${file}" ||
> >+ die "PGP signature verification failed"
> >+ ;;
> >+ signify)
> >+ signify -V -p "${key}" -m "${file}" -x "${sig}" ||
> >+ die "PGP signature verification failed"
>
> Should be something like "Signify signature verification failed".
It's still PGP, so the message is accurate. Having different messages
would be inconsistent. That's what I think.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-12-08 15:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-12-08 15:29 [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support Haelwenn (lanodan) Monnier
-- strict thread matches above, loose matches on Subject: below --
2021-12-08 2:54 Anna Vyalkova
2021-12-08 12:54 ` Haelwenn (lanodan) Monnier
2021-12-08 14:28 ` Anna Vyalkova
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox