From debbugs-submit-bounces@debbugs.gnu.org Sun Sep 16 17:02:14 2018 Received: (at 32674) by debbugs.gnu.org; 16 Sep 2018 21:02:14 +0000 Received: from localhost ([127.0.0.1]:42352 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g1eBJ-00050H-Uo for submit@debbugs.gnu.org; Sun, 16 Sep 2018 17:02:14 -0400 Received: from eggs.gnu.org ([208.118.235.92]:60263) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1g1eBI-000503-2T for 32674@debbugs.gnu.org; Sun, 16 Sep 2018 17:02:12 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1g1eBC-00007i-3j for 32674@debbugs.gnu.org; Sun, 16 Sep 2018 17:02:06 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:34979) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1g1eBB-00007V-Vm; Sun, 16 Sep 2018 17:02:06 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=42944 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1g1eBB-0004Ev-M0; Sun, 16 Sep 2018 17:02:05 -0400 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) To: Leo Famulari Subject: Re: [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh' & co. References: <20180909204335.21400-1-ludo@gnu.org> <20180913162904.GA11458@jasmine.lan> Date: Sun, 16 Sep 2018 23:02:04 +0200 In-Reply-To: <20180913162904.GA11458@jasmine.lan> (Leo Famulari's message of "Thu, 13 Sep 2018 12:29:04 -0400") Message-ID: <87y3c1dulv.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 32674 Cc: Vagrant Cascadian , Mark H Weaver , 32674@debbugs.gnu.org, Mike Gerwitz X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Hello, Leo Famulari skribis: > On Sun, Sep 09, 2018 at 10:43:35PM +0200, Ludovic Court=C3=A8s wrote: >> Hello Guix, >>=20 >> (Cc=E2=80=99ing people with expertise and interest in this=E2=80=A6) >>=20 >> This patch changes (guix gnupg) so that it uses keyrings in the =E2=80= =9Ckeybox=E2=80=9D >> file format to store and read upstream public keys (instead of using the >> user=E2=80=99s default keyring), and so that it uses =E2=80=98gpgv --key= ring=E2=80=99 instead >> of =E2=80=98gpg --verify=E2=80=99. >>=20 >> =E2=80=98gpgv=E2=80=99 is specifically designed for use cases like softw= are signature >> verification against a keyring of =E2=80=9Ctrusted keys=E2=80=9D (it=E2= =80=99s used by APT and >> Werner Koch recommends it=C2=B9.) A significant difference compared to >> =E2=80=98gpg --verify=E2=80=99 is that it doesn=E2=80=99t check whether = keys are expired or >> revoked; all that matters is whether the signature is valid and whether >> the signing key is in the specified keyring. I think that=E2=80=99s wha= t we >> want when checking the signature of a tarball or Git commit. > > Great, this is a big improvement. It would be awesome if we could get > similar support in Git (or find another way to authenticate our code). Yes, that was partly the motivation for this change. Pushed as b9e1fddfd8c29b2fa6252ef52a75daa14aaabd3e. Thanks Mike & Leo for your feedback! Ludo=E2=80=99.