On 10/25/19 2:05 PM, Jamie Bullock wrote: > > Regarding Deken’s GPG signing step… it seems that a “package” or “upload” > succeeds even if I type an incorrect GPG password. I discovered this because > I accidentally typed a wrong password and the upload still went through > without errors. > > Can someone explain GPG works with regard to Deken, and what the consequence > is if the wrong password was typed?
so far, GPG-signing of deken-package is purely optional. (and as of now, the deken-plugin doesn't have a way to verify GPG-signatures of downloaded packages; there's an open issue at [208]) "purely optional" means, that if the user doesn't have GPG-installed and/or doesn't have a GPG-key, they can (and will) upload packages without a signature. as a side-effect, it seems that users who have GPG-installed and have a GPG-key, but fail to properly sign the packages (e.g. because they mistyped their password), will fall under the "optional" clause and get their packages uploaded without a GPG-signature. this is arguably the wrong consequence - instead the process should terminate with a hard failure (but still allow to upload packages without GPG-signatures if the user doesn't have that setup). probably somebody should create a ticket on github. i'm pretty confident that this case was never actually tested (which explains the broken handling). i hope this makes it a bit clearer. gamrds IOhannes [208] https://github.com/pure-data/deken/issues/208
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pd-dev mailing list [email protected] https://lists.puredata.info/listinfo/pd-dev
