Re: [PATCH] cygport/lib/src_prep.cygpart: use gpgv2 not gpg2 --verify

2024-05-01 Thread Brian Inglis via Cygwin-apps 

On 2024-04-30 23:50, ASSI via Cygwin-apps wrote:

Brian Inglis via Cygwin-apps writes:

Utility gpgv2 is the gpg2 release of gpgv, a lighter, script friendly,
single operation gpg verification helper designed for use in scripts
instead of gpg2 --verify: see 'info gpg2 helper gpgv'


NAK. This tool doesn't check for expired keys and also searches for
keys in different places, so you'd have to change your setup.  More
specifically you'd either have to explicitly trust all keys you want to
check (not going to happen) or use a "--keyring" argument to force it to
use the pubring.


Questioning FMI but not disagreeing with your decision ;^>

Not seeing any key issues as my pubring.gpg is symlinked as trustedkeys.gpg?

Although scallywag runs can not even check keys, so what can we do about that?

2024-04-28T21:41:01.4042065Z >>> Preparing ncurses-6.5+20240427-1.x86_64
2024-04-28T21:41:01.4235798Z *** Info: SOURCE 1 signature follows:
2024-04-28T21:41:01.4407160Z gpg: directory '/home/runneradmin/.gnupg' created
2024-04-28T21:41:01.4508023Z gpg: keybox '/home/runneradmin/.gnupg/pubring.kbx' 
created

2024-04-28T21:41:01.4775748Z gpg: Signature made Sat, Apr 27, 2024  8:27:29 PM 
UTC
2024-04-28T21:41:01.4776513Z gpg:using RSA key 
19882D92DDA4C400C22C0D56CC2AF4472167BE03

2024-04-28T21:41:01.4784503Z gpg: Can't check signature: No public key

Other advantage is not seeing Eric Blake and others' pictures pop up ;^>

I tested with all my cached signed upstream package downloads and compared the 
logs from gpg2 --verify and gpgv2, so what benefit is reporting trust level 
"[unknown]" and expired keys from cygport, and what are you meant to do about 
expired keys for upstream package signers?


[While checking also came across keys from 1998 with my dialup email address!]

--
Take care. Thanks, Brian Inglis  Calgary, Alberta, Canada

La perfection est atteinte   Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter  not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry

Re: [PATCH] cygport/lib/src_prep.cygpart: use gpgv2 not gpg2 --verify

2024-04-30 Thread ASSI via Cygwin-apps 
Brian Inglis via Cygwin-apps writes:
> Utility gpgv2 is the gpg2 release of gpgv, a lighter, script friendly,
> single operation gpg verification helper designed for use in scripts
> instead of gpg2 --verify: see 'info gpg2 helper gpgv'

NAK.  This tool doesn't check for expired keys and also searches for
keys in different places, so you'd have to change your setup.  More
specifically you'd either have to explicitly trust all keys you want to
check (not going to happen) or use a "--keyring" argument to force it to
use the pubring.

(I've used an old key file for Cygwin in the following for
demonstration, the current key is not expired obviously.)

--8<---cut here---start->8---
~> gpg2 --verify cygwin/setup64.zst{.sig,}
gpg: Signature made So 07 Apr 2024 16:30:47 CEST
gpg:using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpg: Good signature from "Cygwin " [expired]
gpg: Note: This key has expired!
Primary key fingerprint: 5640 5CF6 FCC8 1574 682A  5D56 1A69 8DE9 E2E5 6300
~> gpgv2 cygwin/setup64.zst{.sig,}
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/gratz/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made So 07 Apr 2024 16:30:47 CEST
gpgv:using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpgv: Can't check signature: No public key
~> gpgv2 --keyring .gnupg/pubring.gpg cygwin/setup64.zst{.sig,}
gpgv: Signature made So 07 Apr 2024 16:30:47 CEST
gpgv:using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300
gpgv: Good signature from "Cygwin "
--8<---cut here---end--->8---


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2:
http://Synth.Stromeko.net/Downloads.html#WaldorfSDada

[PATCH] cygport/lib/src_prep.cygpart: use gpgv2 not gpg2 --verify

2024-04-30 Thread Brian Inglis via Cygwin-apps 
From: "Brian Inglis" 

Utility gpgv2 is the gpg2 release of gpgv, a lighter, script friendly,
single operation gpg verification helper designed for use in scripts
instead of gpg2 --verify: see 'info gpg2 helper gpgv'

__gpg_verify(): use gpgv2 not gpg2 --verify

Signed-off-by: Brian Inglis 
---
 lib/src_prep.cygpart |4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/lib/src_prep.cygpart  2024-01-15 05:09:23.0 -0700
+++ b/lib/src_prep.cygpart  2024-04-30 01:49:54.294030400 -0600
@@ -181,7 +181,7 @@ __gpg_verify() {
local _filetype=${2};
local _sigext=${3:-sig};
 
-   if ! check_prog gpg2
+   if ! check_prog gpgv2
then
# display notice only once
if ! defined _gpg_not_found_
@@ -196,7 +196,7 @@ __gpg_verify() {
if [ -f ${_file}.${_sigext} ]
then
inform "${_filetype} signature follows:";
-   gpg2 --verify ${_file}.${_sigext} ${_file} || true;
+   gpgv2 ${_file}.${_sigext} ${_file} || true;
fi
 }