| 1 |
On 12/13/2015 07:50 PM, Andrew Savchenko wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> On Sun, 13 Dec 2015 18:38:55 +0100 Patrick Lauer wrote: |
| 5 |
>> On 12/13/2015 06:36 PM, Patrick Lauer wrote: |
| 6 |
>>> So apparently we're signing things with gpg now |
| 7 |
>> And a related question: |
| 8 |
>> |
| 9 |
>> How would I actually verify the signatures in a meaningful way? |
| 10 |
> git log --show-signature does this using GnuPG. |
| 11 |
That's not very automated or effective. |
| 12 |
I'd assume 'emerge' has such functionality included ...? |
| 13 |
> |
| 14 |
> Of course, in order to gpg to work one have to mark dev keys as |
| 15 |
> trusted, they can be verified using ldap or several public |
| 16 |
> keyservers. LDAP is more reliable, of course, but this method works |
| 17 |
> only for devs (and probably some stuff members) having an access |
| 18 |
> here. |
| 19 |
That's what the app-crypt/gkeys thing is for, as far as I can tell. |
Archives