[PATCH] cygport/lib/src_prep.cygpart: use gpgv2 not gpg2 --verify

Brian Inglis Brian.Inglis@SystematicSW.ab.ca
Wed May 1 16:12:28 GMT 2024 

On 2024-04-30 23:50, ASSI via Cygwin-apps wrote:
> Brian Inglis via Cygwin-apps writes:
>> Utility gpgv2 is the gpg2 release of gpgv, a lighter, script friendly,
>> single operation gpg verification helper designed for use in scripts
>> instead of gpg2 --verify: see 'info gpg2 helper gpgv'
> 
> NAK. This tool doesn't check for expired keys and also searches for
> keys in different places, so you'd have to change your setup.  More
> specifically you'd either have to explicitly trust all keys you want to
> check (not going to happen) or use a "--keyring" argument to force it to
> use the pubring.

Questioning FMI but not disagreeing with your decision ;^>

Not seeing any key issues as my pubring.gpg is symlinked as trustedkeys.gpg?

Although scallywag runs can not even check keys, so what can we do about that?

2024-04-28T21:41:01.4042065Z >>> Preparing ncurses-6.5+20240427-1.x86_64
2024-04-28T21:41:01.4235798Z *** Info: SOURCE 1 signature follows:
2024-04-28T21:41:01.4407160Z gpg: directory '/home/runneradmin/.gnupg' created
2024-04-28T21:41:01.4508023Z gpg: keybox '/home/runneradmin/.gnupg/pubring.kbx' 
created
2024-04-28T21:41:01.4775748Z gpg: Signature made Sat, Apr 27, 2024  8:27:29 PM UTC
2024-04-28T21:41:01.4776513Z gpg:                using RSA key 
19882D92DDA4C400C22C0D56CC2AF4472167BE03
2024-04-28T21:41:01.4784503Z gpg: Can't check signature: No public key

Other advantage is not seeing Eric Blake and others' pictures pop up ;^>

I tested with all my cached signed upstream package downloads and compared the 
logs from gpg2 --verify and gpgv2, so what benefit is reporting trust level 
"[unknown]" and expired keys from cygport, and what are you meant to do about 
expired keys for upstream package signers?

[While checking also came across keys from 1998 with my dialup email address!]

-- 
Take care. Thanks, Brian Inglis              Calgary, Alberta, Canada

La perfection est atteinte                   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer     but when there is no more to cut
                                 -- Antoine de Saint-Exupéry

More information about the Cygwin-apps mailing list