Re: [PATCH] cygport/lib/src_prep.cygpart: use gpgv2 not gpg2 --verify
On 2024-04-30 23:50, ASSI via Cygwin-apps wrote: Brian Inglis via Cygwin-apps writes: Utility gpgv2 is the gpg2 release of gpgv, a lighter, script friendly, single operation gpg verification helper designed for use in scripts instead of gpg2 --verify: see 'info gpg2 helper gpgv' NAK. This tool doesn't check for expired keys and also searches for keys in different places, so you'd have to change your setup. More specifically you'd either have to explicitly trust all keys you want to check (not going to happen) or use a "--keyring" argument to force it to use the pubring. Questioning FMI but not disagreeing with your decision ;^> Not seeing any key issues as my pubring.gpg is symlinked as trustedkeys.gpg? Although scallywag runs can not even check keys, so what can we do about that? 2024-04-28T21:41:01.4042065Z >>> Preparing ncurses-6.5+20240427-1.x86_64 2024-04-28T21:41:01.4235798Z *** Info: SOURCE 1 signature follows: 2024-04-28T21:41:01.4407160Z gpg: directory '/home/runneradmin/.gnupg' created 2024-04-28T21:41:01.4508023Z gpg: keybox '/home/runneradmin/.gnupg/pubring.kbx' created 2024-04-28T21:41:01.4775748Z gpg: Signature made Sat, Apr 27, 2024 8:27:29 PM UTC 2024-04-28T21:41:01.4776513Z gpg:using RSA key 19882D92DDA4C400C22C0D56CC2AF4472167BE03 2024-04-28T21:41:01.4784503Z gpg: Can't check signature: No public key Other advantage is not seeing Eric Blake and others' pictures pop up ;^> I tested with all my cached signed upstream package downloads and compared the logs from gpg2 --verify and gpgv2, so what benefit is reporting trust level "[unknown]" and expired keys from cygport, and what are you meant to do about expired keys for upstream package signers? [While checking also came across keys from 1998 with my dialup email address!] -- Take care. Thanks, Brian Inglis Calgary, Alberta, Canada La perfection est atteinte Perfection is achieved non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut -- Antoine de Saint-Exupéry
Re: [PATCH] cygport/lib/src_prep.cygpart: use gpgv2 not gpg2 --verify
Brian Inglis via Cygwin-apps writes: > Utility gpgv2 is the gpg2 release of gpgv, a lighter, script friendly, > single operation gpg verification helper designed for use in scripts > instead of gpg2 --verify: see 'info gpg2 helper gpgv' NAK. This tool doesn't check for expired keys and also searches for keys in different places, so you'd have to change your setup. More specifically you'd either have to explicitly trust all keys you want to check (not going to happen) or use a "--keyring" argument to force it to use the pubring. (I've used an old key file for Cygwin in the following for demonstration, the current key is not expired obviously.) --8<---cut here---start->8--- ~> gpg2 --verify cygwin/setup64.zst{.sig,} gpg: Signature made So 07 Apr 2024 16:30:47 CEST gpg:using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpg: Good signature from "Cygwin " [expired] gpg: Note: This key has expired! Primary key fingerprint: 5640 5CF6 FCC8 1574 682A 5D56 1A69 8DE9 E2E5 6300 ~> gpgv2 cygwin/setup64.zst{.sig,} gpgv: unknown type of key resource 'trustedkeys.kbx' gpgv: keyblock resource '/home/gratz/.gnupg/trustedkeys.kbx': General error gpgv: Signature made So 07 Apr 2024 16:30:47 CEST gpgv:using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpgv: Can't check signature: No public key ~> gpgv2 --keyring .gnupg/pubring.gpg cygwin/setup64.zst{.sig,} gpgv: Signature made So 07 Apr 2024 16:30:47 CEST gpgv:using RSA key 56405CF6FCC81574682A5D561A698DE9E2E56300 gpgv: Good signature from "Cygwin " --8<---cut here---end--->8--- Regards, Achim. -- +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+ SD adaptations for Waldorf Q V3.00R3 and Q+ V3.54R2: http://Synth.Stromeko.net/Downloads.html#WaldorfSDada
[PATCH] cygport/lib/src_prep.cygpart: use gpgv2 not gpg2 --verify
From: "Brian Inglis" Utility gpgv2 is the gpg2 release of gpgv, a lighter, script friendly, single operation gpg verification helper designed for use in scripts instead of gpg2 --verify: see 'info gpg2 helper gpgv' __gpg_verify(): use gpgv2 not gpg2 --verify Signed-off-by: Brian Inglis --- lib/src_prep.cygpart |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/lib/src_prep.cygpart 2024-01-15 05:09:23.0 -0700 +++ b/lib/src_prep.cygpart 2024-04-30 01:49:54.294030400 -0600 @@ -181,7 +181,7 @@ __gpg_verify() { local _filetype=${2}; local _sigext=${3:-sig}; - if ! check_prog gpg2 + if ! check_prog gpgv2 then # display notice only once if ! defined _gpg_not_found_ @@ -196,7 +196,7 @@ __gpg_verify() { if [ -f ${_file}.${_sigext} ] then inform "${_filetype} signature follows:"; - gpg2 --verify ${_file}.${_sigext} ${_file} || true; + gpgv2 ${_file}.${_sigext} ${_file} || true; fi }