Jon Turney via Cygwin-apps writes:
> It would probably be nice if the signature could be generated and
> validated with standard tools, which perhaps means using 'gpg
> --clearsign'.
>
> (which probably breaks anything else reading the existing .ini files,
> so we'd still need to keep that around for backwards compatibility)
Breaking change w.r.t backwards compatibility, so I had ruled that
option out (plus we'd need to parse that format ourselves). Anyway:
# create setup.ini
mv setup.ini{,.nosig}
gpg -b setup.ini.nosig
printf "signature: %s\n" `base64 -w 0 setup.ini.sig` > setup.ini.esig
bzip2 --keep setup.ini.nosig setup.ini.esig
xz --keep setup.ini.nosig setup.ini.esig
zstd --keep setup.ini.nosig setup.ini.esig
for s in bz2 xz zstd ; do
cat setup.ini.{esig,nosig}.$s > setup.ini.$s
gpg -b setup.ini.$s
done
> Unfortunately, whatever approach is taken, this is all much harder
> work than it should be, because we don't use libgpgme, but lots of
> low-level grovelling around with libgpg instead.
With the structure I've outlined that check would be in a different
place, but otherwise we would do exactly the same thing as we do now.
> (It's my understanding that we can't (or couldn't) use gpgme, because
> that relies on invoking a copy of gpg via a pipe, which is obviously
> no good for a stand-alone installer)
I've not looked into that, but it is my understanding that using
libgpgme would have further reaching consequences than that. I don't
think you'd be able to do everything in memory, GPG likes to have a
.gnupg directory.
Regards,
Achim.
--
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
Samples for the Waldorf Blofeld:
http://Synth.Stromeko.net/Downloads.html#BlofeldSamplesExtra
