1 |
On 12/13/2015 07:50 PM, Andrew Savchenko wrote: |
2 |
> Hi, |
3 |
> |
4 |
> On Sun, 13 Dec 2015 18:38:55 +0100 Patrick Lauer wrote: |
5 |
>> On 12/13/2015 06:36 PM, Patrick Lauer wrote: |
6 |
>>> So apparently we're signing things with gpg now |
7 |
>> And a related question: |
8 |
>> |
9 |
>> How would I actually verify the signatures in a meaningful way? |
10 |
> git log --show-signature does this using GnuPG. |
11 |
That's not very automated or effective. |
12 |
I'd assume 'emerge' has such functionality included ...? |
13 |
> |
14 |
> Of course, in order to gpg to work one have to mark dev keys as |
15 |
> trusted, they can be verified using ldap or several public |
16 |
> keyservers. LDAP is more reliable, of course, but this method works |
17 |
> only for devs (and probably some stuff members) having an access |
18 |
> here. |
19 |
That's what the app-crypt/gkeys thing is for, as far as I can tell. |