Martin Owens <[email protected]> writes:

> Building debs for ppa uses gpg and signs each source package build in
> two different places requiring the unlocking of the gpg key twice.

> I've been running a script which builds 4 packages for 3 ubuntu releases
> which comes to typing in my gpg passphraise 24 times in succession (more
> if I get it wrong).

> Should I be concerned that possible snoopers have 24 opportunities to
> watch my passphraise in physical space? And if typing in the passphraise
> a lots of times isn't important, why have a passphraise at all?

I use gpg-agent with a five minute timeout, which is long enough to let me
sign a bunch of packages while I'm actively working (plus git tags and so
forth) but short enough that I'm not too worried about an attacker taking
advantage of the cached password.

-- 
Russ Allbery ([email protected])               <http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]

Reply via email to