Hi, Here is a tool I built to simplify the verification of gnupg signatures.
It's pretty straight forward, it takes a file, a pubkey and a signature. If everything matches you get a list of the valid identities and a "Signature OK" message. The goal for this is to open up the door to validating signatures from upstream by allowing us to store a public key in a port (mail/mutt/files/pubkey for example). For a functional example see sthen@'s modification that uses gpg: https://marc.info/?t=157687704400002&r=1&w=2 If you add mutt's pubkey in mail/mutt/files/pubkey and replace the line that calls gpg2 with: ogvt -sig $$file -file ${DISTFILES} -pub ${FILESDIR}/pubkey|| OK=false; \ One can validate the signature with 'make checksum' > make checksum ===> Checking files for mutt-1.13.3v3 `/usr/ports/distfiles/mutt-1.13.3.tar.gz' is up to date. `/usr/ports/distfiles/mutt-1.13.3.tar.gz.asc' is up to date. >> (SHA256) mutt-1.13.3.tar.gz: OK >> (SHA256) mutt-1.13.3.tar.gz.asc: OK "Kevin J. McCarthy <[email protected]>" Signature OK. Cluesticks? OKs? Cheers, Aaron -- PGP: 0x1F81112D62A9ADCE / 3586 3350 BFEA C101 DB1A 4AF0 1F81 112D 62A9 ADCE
ogvt.tgz
Description: Binary data
