Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Haelwenn (lanodan) Monnier" <contact@×××××××××.me>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH] verify-sig.eclass: add app-crypt/signify support
Date: Wed, 08 Dec 2021 15:29:36
Message-Id: YbDPUzoV6IyMvbZR@cloudsdale.the-delta.net.eu.org
1 [2021-12-08 19:28:24+0500] Anna Vyalkova:
2 > On 2021-12-08 13:54, Haelwenn (lanodan) Monnier wrote:
3 > > >+case ${VERIFY_SIG_IMPL} in
4 > > >+ gnupg)
5 > > >+ BDEPEND="
6 > > >+ verify-sig? (
7 > > >+ app-crypt/gnupg
8 > > >+ >=app-portage/gemato-16
9 > > >+ )"
10 > > >+ ;;
11 > > >+ signify)
12 > > >+ BDEPEND="verify-sig? ( app-crypt/signify )"
13 > >
14 > > Might be worth it to depend on app-crypt/minisign instead or depend on any.
15 > > minisign is already stabilized and I slightly prefer it's implementation over
16 > > the ported signify as there is no vendoring.
17 > > That said minisign could be considered bloated compared to signify.
18 >
19 > $ minisign -Vp /usr/share/openpgp-keys/gmid-1.7.pub -m SHA256 -x SHA256.sig -o
20 > Trusted signature comment should start with "trusted comment: "
21 >
22 > It doesn't work :/
23 > Also it has no "verify signed checksums list" mode.
24
25 Not sure what your files are but those two are definitely bugs in minisign. :/
26
27 > > >+ case ${VERIFY_SIG_IMPL} in
28 > > >+ gnupg)
29 > > >+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
30 > > >+ gpg --verify "${sig}" "${file}" ||
31 > > >+ die "PGP signature verification failed"
32 > > >+ ;;
33 > > >+ signify)
34 > > >+ signify -V -p "${key}" -m "${file}" -x "${sig}" ||
35 > > >+ die "PGP signature verification failed"
36 > >
37 > > Should be something like "Signify signature verification failed".
38 >
39 > It's still PGP, so the message is accurate. Having different messages
40 > would be inconsistent. That's what I think.
41
42 Nah, signify has nothing to do with OpenPGP, they are entirely different.
43
44 OpenPGP is defined in RFC4880 and is implemented by PGP, GnuPG and NetPGP.
45 It notably has non-rotable identity keys, subkeys, keyservers and a web-of-trust.
46
47 Signify is just barebones signatures from one simple key, with rotation being
48 intended and no designed network protocol.
49 See https://flak.tedunangst.com/post/signify for details.
Report Message
Find on MARC Find on Google Groups