Hello community, here is the log from the commit of package gpg-offline for openSUSE:Factory checked in at 2012-12-19 20:45:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gpg-offline (Old) and /work/SRC/openSUSE:Factory/.gpg-offline.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gpg-offline", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/gpg-offline/gpg-offline.changes 2012-12-14 07:37:09.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gpg-offline.new/gpg-offline.changes 2012-12-19 20:45:58.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Dec 18 20:18:40 CET 2012 - [email protected] + +- Get rid "Using untrusted key!" warning. +- Add --keyserver-options=auto-key-retrieve where appropriate. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gpg-offline.PACKAGING.HOWTO ++++++ --- /var/tmp/diff_new_pack.PfwzxJ/_old 2012-12-19 20:45:59.000000000 +0100 +++ /var/tmp/diff_new_pack.PfwzxJ/_new 2012-12-19 20:45:59.000000000 +0100 @@ -58,7 +58,7 @@ If you have a trusted signature and you want to create keyring: -gpg --verify mypackage.tar.gz.sig +gpg --keyserver-options=auto-key-retrieve --verify mypackage.tar.gz.sig Online GPG verification will be performed. You will get a text containing description and ID of the signing key. Pick the key ID from @@ -68,7 +68,7 @@ Example: -~/OSC/openSUSE:Factory/libnetfilter_acct> gpg --verify *.sig +~/OSC/openSUSE:Factory/libnetfilter_acct> gpg --keyserver-options=auto-key-retrieve --verify *.sig gpg: Signature made Tue Oct 9 00:42:06 2012 CEST using RSA key ID BB5F58CC gpg: Good signature from "Netfilter Core Team <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! ++++++ gpg-offline.gopts ++++++ --- /var/tmp/diff_new_pack.PfwzxJ/_old 2012-12-19 20:45:59.000000000 +0100 +++ /var/tmp/diff_new_pack.PfwzxJ/_new 2012-12-19 20:45:59.000000000 +0100 @@ -71,7 +71,7 @@ verifies signature of selected source files @switch OFFLINE -O --offline -does not verify up-to-date status online (use with --review or --refresh) +does not verify up-to-date status online (use with --add, --review or --refresh) @cntswitch VERBOSE -v --verbose be verbose @@ -157,9 +157,15 @@ # keyring_op: Add keys specified in the command line arguments. function keyring_op_add { TEMP_FILES="${TEMP}key.$$" + if $OPTARG_OFFLINE ; then + AUTO_KEY_RETRIEVE="no-" + else + AUTO_KEY_RETRIEVE="" + fi for ID in "${ARGV[@]}" ; do + vvrun "Extract minimal form of the key $ID in binary form:"\ - gpg --armor --export-options no-export-attributes,export-clean,export-minimal --export "$ID" >${TEMP}key.$$ + gpg --keyserver-options=${AUTO_KEY_RETRIEVE}auto-key-retrieve --armor --export-options no-export-attributes,export-clean,export-minimal --export "$ID" >${TEMP}key.$$ vvrun "Import the new key to the temporary keyring:"\ gpg --no-default-keyring --keyring gpg-offline.$$ --import <${TEMP}key.$$ done @@ -243,22 +249,17 @@ if $OPTARG_VERIFY ; then filespec_required keyring_required - temp_setup - TEMP_FILES="${TEMP}stderr.$$" RC=0 rm -rf ~/.gnupg/gpg-offline.$$* - # Enable once FIXME below will be fixed and disable temp_setup above. - #trap "rm -rf ~/.gnupg/gpg-offline.$$*" EXIT + trap "rm -rf ~/.gnupg/gpg-offline.$$*" EXIT vvrun "Import armored $KEYRING to the temporary keyring:"\ gpg --no-default-keyring --keyring gpg-offline.$$ --import <"$KEYRING" for SIGNATURE in "${ARGV[@]}" ; do + # "--trust-model=always" always generates warning "Using untrusted key!". "--quiet" suppresses it. vvrun "Verifying $SIGNATURE against the temporary keyring only:"\ - gpg --trust-model=always --keyserver-options=no-auto-key-retrieve --no-default-keyring --keyring=gpg-offline.$$ --verify "$SIGNATURE" 2>${TEMP}stderr.$$ + gpg --quiet --trust-model=always --keyserver-options=no-auto-key-retrieve --no-default-keyring --keyring=gpg-offline.$$ --verify "$SIGNATURE" let RC+=$? - # FIXME: Get rid this warning! - # We have to use temporary file, otherwise return code gets lost. - grep -v '^gpg: WARNING: Using untrusted key!$' ${TEMP}stderr.$$ >&2 done if test $RC -gt 0 ; then exit 1 ++++++ gpg-offline.man.in ++++++ --- /var/tmp/diff_new_pack.PfwzxJ/_old 2012-12-19 20:45:59.000000000 +0100 +++ /var/tmp/diff_new_pack.PfwzxJ/_new 2012-12-19 20:45:59.000000000 +0100 @@ -32,7 +32,9 @@ \fB\-a\fR, \fB\-\-add\fR \fIKEY_ID\fR... adds signing key(s) KEY_ID of upstream package for inclusion to the keyring file. If the file does not exist, it is created and needed -lines are proposed for inclusion to \fIPACKAGE\fR.spec. +lines are proposed for inclusion to \fIPACKAGE\fR.spec. If +\fB\-\-offline\fR is specified, check only local keyring for keys. + .IP This command needs correctly configured gnupg and may need to contact keyring servers on Internet. @@ -59,7 +61,8 @@ for keys updates. .TP \fB\-v\fR, \fB\-\-offline\fR -skips online checks in \fB\-\-review\fR and \fB\-\-refresh\fR. +skips online checks in \fB\-\-add\fR, \fB\-\-review\fR and +\fB\-\-refresh\fR. .TP \fB\-v\fR, \fB\-\-verbose\fR explains what is being done. Use twice to see even more. -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
