Re: tarball signing

On lundi 12 septembre 2016 12:33:06 CEST Harald Sitter wrote: > I'd say that you need to add your public key on the server's keyring. Thanks Harald. It works !!! -- David Faure, fa...@kde.org, http://www.davidfaure.fr Working on KDE Frameworks 5

Re: tarball signing

quick guide https://gist.github.com/apachelogger/4aa69ad0637feedb330b3fadc7adea3a with openssh 6.7 and gpg 2.1 it really is this simple (do note that gpg2.1 needs to be on server and client!) On Mon, Sep 12, 2016 at 12:33 PM, Harald Sitter wrote: > On Sat, Sep 10, 2016 at 1:26

Re: tarball signing

On Sat, Sep 10, 2016 at 1:26 PM, David Faure wrote: > On lundi 8 août 2016 17:07:41 CEST Harald Sitter wrote: >> 1. Move release tarballing from rosetta to a server/container with >> gpg2.1 > > So, now we are trying this. > > Partial success, ssh says > "remote forward success" >

Re: tarball signing

On lundi 8 août 2016 17:07:41 CEST Harald Sitter wrote: > 1. Move release tarballing from rosetta to a server/container with > gpg2.1 So, now we are trying this. Partial success, ssh says "remote forward success" and running gpg-connect-agent on the server works (and it triggers debug output in

Re: tarball signing

On Sun, Aug 7, 2016 at 9:01 PM, David Faure wrote: > On mercredi 15 juin 2016 12:53:23 CEST Andre Heinecke wrote: >> I'm using agent-forwarding through socat for that reason: >> >> Here is an example how I connect to . The last command is >> executed after ssh on the server. >> >>

Re: tarball signing

On mercredi 15 juin 2016 12:53:23 CEST Andre Heinecke wrote: > I'm using agent-forwarding through socat for that reason: > > Here is an example how I connect to . The last command is > executed after ssh on the server. > > (while true; do socat TCP-LISTEN:16668,bind=127.0.0.1 >

Re: tarball signing

On Sun, Jul 3, 2016 at 12:20 AM, David Faure wrote: > On lundi 13 juin 2016 15:33:51 CEST David Faure wrote: >> On lundi 6 juin 2016 11:39:25 CEST Sandro Knauß wrote: >> > you don't need to have the privatekey on the server - We have gpg-agent >> > and >> > ssh - so you can forward

Re: tarball signing

On lundi 13 juin 2016 15:33:51 CEST David Faure wrote: > On lundi 6 juin 2016 11:39:25 CEST Sandro Knauß wrote: > > you don't need to have the privatekey on the server - We have gpg-agent > > and > > ssh - so you can forward the gpg-agent to the server when doing a release. > > That way the

Re: tarball signing

Hi, On Monday 13 June 2016 15:33:51 David Faure wrote: > On lundi 6 juin 2016 11:39:25 CEST Sandro Knauß wrote: > > you don't need to have the privatekey on the server - We have gpg-agent > > and > > ssh - so you can forward the gpg-agent to the server when doing a release. > > That way the

Re: tarball signing

On lundi 6 juin 2016 11:39:25 CEST Sandro Knauß wrote: > you don't need to have the privatekey on the server - We have gpg-agent and > ssh - so you can forward the gpg-agent to the server when doing a release. > That way the private keymatierial stays safe at your place: > >

Re: tarball signing

On Tuesday, June 7, 2016 6:16:04 PM CEST Harald Sitter wrote: > On Tue, Jun 7, 2016 at 2:09 PM, Albert Astals Cid wrote: > > El dilluns, 6 de juny de 2016, a les 11:39:25 CEST, Sandro Knauß va escriure: > >> Hey, > >> > >> > Well, Albert and I use (the same user on) the same

Re: tarball signing

On Tue, Jun 7, 2016 at 2:09 PM, Albert Astals Cid wrote: > El dilluns, 6 de juny de 2016, a les 11:39:25 CEST, Sandro Knauß va escriure: >> Hey, >> >> > Well, Albert and I use (the same user on) the same server to make >> > releases. >> > So the private key will have to be on that

Re: tarball signing

Hi, Thanks for working on this. Signed tarballs would also help me when updating KDE Packages in Gpg4win :-). On Tuesday 07 June 2016 14:09:44 Albert Astals Cid wrote: > El dilluns, 6 de juny de 2016, a les 11:39:25 CEST, Sandro Knauß va escriure: > > > Well, Albert and I use (the same user

Re: tarball signing

El dilluns, 6 de juny de 2016, a les 11:39:25 CEST, Sandro Knauß va escriure: > Hey, > > > Well, Albert and I use (the same user on) the same server to make > > releases. > > So the private key will have to be on that server, otherwise it will > > become > > very inconvenient (download, sign,

Re: tarball signing

Hey, > Well, Albert and I use (the same user on) the same server to make releases. > So the private key will have to be on that server, otherwise it will become > very inconvenient (download, sign, upload). > > But if that's good enough, and if we can tell gpg2 which private key to use > (so he

Re: tarball signing

On samedi 4 juin 2016 00:18:44 CEST Sandro Knauß wrote: > On the one side, if the privatekey is easy to grab, it does not help > improving security, but if the private key, lifes at only on a specifc > secured computer it would help a lot. Well, Albert and I use (the same user on) the same server

Re: tarball signing

Hey, > Does that really fix anything if noone has my gpg key in the > trusted/validated signatures area? How do they know it's me that signed the > package and not some hacker that got access to the server and did sign the > tarballs? On the one side, if the privatekey is easy to grab, it does

Re: tarball signing

On Friday, June 3, 2016 4:02:43 PM CEST Albert Astals Cid wrote: > El dijous, 2 de juny de 2016, a les 13:53:46 CEST, Harald Sitter va escriure: > > Ahoy > > > > At last weekends' Munich sprint, Jonathan and I discussed the > > possibility of detached-signing our tarballs. Right now people have

Re: tarball signing

El dijous, 2 de juny de 2016, a les 13:53:46 CEST, Harald Sitter va escriure: > Ahoy > > At last weekends' Munich sprint, Jonathan and I discussed the > possibility of detached-signing our tarballs. Right now people have to > go to some website, get checksums, and then verify the downloaded >

tarball signing

Ahoy At last weekends' Munich sprint, Jonathan and I discussed the possibility of detached-signing our tarballs. Right now people have to go to some website, get checksums, and then verify the downloaded tarballs matches the checksums. This is not only terrible because it involves humans doing