Summary: | dev-util/catalyst should gpg sign the DIGESTS file | ||
---|---|---|---|
Product: | Gentoo Hosted Projects | Reporter: | Rick Farina (Zero_Chaos) <zerochaos> |
Component: | Catalyst | Assignee: | Gentoo Catalyst Developers <catalyst> |
Status: | CONFIRMED --- | ||
Severity: | enhancement | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Rick Farina (Zero_Chaos)
2012-10-12 22:27:20 UTC
it would be best to parse make.conf and read FEATURES="sign" and the potentially needed GPG_* variables from portage. I figure if you have FEATURES="sign" working for portage that should be enough to make all this work, and if you sign for portage you likely want to sign for catalyst as well. (In reply to comment #0) > gpg --clearsign -o gentoo-13.iso.DIGESTS.asc gentoo-13.DIGESTS && mv > gentoo-13.iso.DIGESTS.asc gentoo-13.iso.DIGESTS I would suggest to put the signature in a separate file, so that DIGESTS can still be parsed by checksum verifiers like `md5sum -C DIGESTS`. For portage tree snapshots, we do use a command like this: gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output "$f".gpgsig "$f" (In reply to comment #1) > it would be best to parse make.conf and read FEATURES="sign" and the > potentially needed GPG_* variables from portage. I figure if you have > FEATURES="sign" working for portage that should be enough to make all this > work, and if you sign for portage you likely want to sign for catalyst as > well. To get the portage config, you could use some code like this: import portage if "sign" in portage.settings.get("FEATURES", "").split(): gpg_dir = portage.settings.get("PORTAGE_GPG_DIR") gpg_key = portage.settings.get("PORTAGE_GPG_KEY") the original idea of overwriting the DIGESTS file may not be the best as it causes this ugly warning to appear when verifying DIGESTS: md5sum: WARNING: 26 lines are improperly formatted Perhaps to keep it named .asc or something else entirely but overwriting .DIGESTS appears to be a "bad idea" |