On Tue, 2008-03-04 at 07:44 +0000, Adam D. Barratt wrote: > Is this an option that you'd only want to use when dget is calling > dscverify, or any time that dscverify is called? If the latter then the > functionality already exists (DSCVERIFY_KEYRINGS).
My use-case is downloading packages from mentors.d.n for sponsorship,
there I always use dget rather than dscverify. I reported this bug
because dget -x wasn't working as it used to because it now calls
dscverify, fails and decides not to run dpkg-source. Perhaps what I
really want is for dget -x to run dpkg-source -x even if dscverify
fails. That way I get to see a warning from dpkg-source if the key isn't
in my keyring or the package has been tampered with in transit.
Thinking about it more, I'd like -x to do these:
* good DD sig: yay, unpack
* bad DD sig: big error, option to force unpack
* good DM sig: yay, unpack, inform me of DM status
* bad DM sig: big error, option to force unpack
* good other sig: yay, unpack, inform me of otherness
* bad other sig: big, option to force unpack
* no sig: yay, unpack, warn about no sig
With no -x would just do the same without unpacking.
> > Alternatively change dscverify to check ~/.gnupg/pubring.gpg
>
> This is already possible (see above) but I'm not convinced we'd want to
> include it by default.
Fair enough.
> > but print out a warning if the key is not in debian-keyring.
>
> This, otoh, is not currently supported. I suppose one could have
> dscverify call check_signature() twice with different keyrings.
Sounds fine to me.
--
bye,
pabs
http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
