I've created a shell wrapper than might be useful for this called "gpgpv-multisig" which is a multi-call executable. Given /usr/bin/gpgv- multisig
ln -s gpgv-multisig /usr/bin/gpgv-aptkeys and called as 'gpgv-aptkeys' it will assume the keyring to be used is /etc/apt/trusted.gpg (set by APT_KEYRING). Returns the same exit codes as detailed in man gpgv(1): 0 = all signatures good 1 = at least one signature good 2 = no signatures good Many configuration variables can be over-ridden from the environment but adopt sensible defaults. ** Attachment added: "Shell script wrapping gpgv for multi-signature gpgv" https://bugs.launchpad.net/ubuntu/+source/ubuntu-release-upgrader/+bug/1801762/+attachment/5209443/+files/gpgv-multisig -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1801762 Title: Dual-signed things should be easy to verify with one key Status in apt package in Ubuntu: New Status in debmirror package in Ubuntu: New Status in gnupg2 package in Ubuntu: New Status in ubuntu-keyring package in Ubuntu: New Status in ubuntu-release-upgrader package in Ubuntu: New Bug description: As part of Ubuntu key rotation strategy, we rely on dual-signing (inline, or detached) such that validation with at least one key available in a keyring should be trusted, without using web-of-trust. However, it seems to be only correctly so far implemented by the apt's gpgv method. Ideally, we should ship an easy enough to use the helper that is `like gpgv` to use, and possibly reusing apt's gpgv code and/or exposing it via apt-key's verify. The problem seems to be that 1 good sig + 1 no public key available, results in gpgv exiting with 2, instead of 0 or 1. Ideally it should be easy enough to use gpgv/gpg to verify that at least one signature is good, and decrypt/extract signed contents only. More details and reproducers to follow. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1801762/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
