Luke <[email protected]> writes: > On 06/27/2015 12:11 PM, fauno wrote: >> Michał Masłowski <[email protected]> writes: >> >>>> The package will be compiled, and immediately signed with the packager's >>>> key during compile process. >>> This isn't nice for batch builds: user leaves the computer building for >>> hours, then runs librerelease, inputs the GPG passphrase for pinentry, >>> gpg-agent will cache it for a short time. >> right, this was the initial decision for putting signing on >> librerelease. security-wise having to put the signature for >> each batch/unnatended build is bothersome but necessary. > If this is actually an issue, it is described in the manpage for gpg-agent. > > nano ~/.gnupg/gpg-agent-conf > set default-cache-ttl and max-cache-ttl as needed. > I would suppose a simple bash script could also be made that looks for > the makepkg process. If it still exists, increase time-to-live in > gpg-agent by x-seconds. > This is still better than signing long after the package has been built.
i think you need to restart the agent to change the ttl. what if there's an intermediary signature that only libremakepkg can issue and then librerelease verifies this and signs with the packager key? -- http://vqfe4xmhxzi7w2uv.onion
signature.asc
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
