On Thu, Dec 20, 2012 at 11:36:16AM +0100, Ansgar Burchardt wrote: > On 12/20/2012 04:29 AM, James McCoy wrote: > > commit 0e804cc658e3a00e07873a4be880f3d2769c913f > > Author: James McCoy <[email protected]> > > Date: Wed Dec 19 22:25:01 2012 -0500 > > > > dscverify: Use "gpg --status-fd" to get more details about validity > > > > Simply running "gpg < file" doesn't ensure the content is properly > > signed. Even when it does, we may not be using the signed content. > > > > Using "gpg --status-fd 1 < file" solves both of these issues. Even > > though it still won't error out with an unsigned file, we'll be able to > > detect that the content wasn't signed by the lack of a VALIDSIG status. > > Also, the command will emit the signed content between PLAINTEXT status > > and any subsequent status lines. > > Mixing the status output from gpg and the data is a bad idea. It's > probably still possible to bypass the check with something like
Good point. I just pushed an update: http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commit;h=3e4b99becfc2e978887f2a52124970318bafe943 Cheers, -- James GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <[email protected]>
signature.asc
Description: Digital signature
_______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
