On 06/23/2013 01:19 AM, Michał Górny wrote: > Dnia 2013-06-22, o godz. 17:02:56 > ""Paweł Hajdan, Jr."" <phajdan...@gentoo.org> napisał(a): > >> On 6/20/13 2:16 AM, Michał Górny wrote: >>> Doing test signatures won't cover all failures. >> >> Do you know an example? The only one I'm aware of is when a test >> signature is made very close to the expiration date, and then the real >> signature would be done after it. > > Well, Michael explained one in the other branch of this thread quite > thoroughly. Other than that, there can be random runtime errors > and race conditions. > > I'd say it's as good as using stat() to check whether a file exists > before opening it. But thinking of it, I've got another idea... > > How about opening 'gpg -s' in a subprocess before first commit > and feeding the Manifest afterwards? As far as I can see, gpg asks for > the password instantly, so likely most of the bases will be covered > already, and we're be doing a single signature only.
The only problem I see is that repoman will have no way of knowing when you have finished typing the pass phrase (if not using gpg-agent). So, there may be some mixing of repoman and gpg/pinentry output in the terminal. -- Thanks, Zac