1 |
[2021-12-08 19:28:24+0500] Anna Vyalkova: |
2 |
> On 2021-12-08 13:54, Haelwenn (lanodan) Monnier wrote: |
3 |
> > >+case ${VERIFY_SIG_IMPL} in |
4 |
> > >+ gnupg) |
5 |
> > >+ BDEPEND=" |
6 |
> > >+ verify-sig? ( |
7 |
> > >+ app-crypt/gnupg |
8 |
> > >+ >=app-portage/gemato-16 |
9 |
> > >+ )" |
10 |
> > >+ ;; |
11 |
> > >+ signify) |
12 |
> > >+ BDEPEND="verify-sig? ( app-crypt/signify )" |
13 |
> > |
14 |
> > Might be worth it to depend on app-crypt/minisign instead or depend on any. |
15 |
> > minisign is already stabilized and I slightly prefer it's implementation over |
16 |
> > the ported signify as there is no vendoring. |
17 |
> > That said minisign could be considered bloated compared to signify. |
18 |
> |
19 |
> $ minisign -Vp /usr/share/openpgp-keys/gmid-1.7.pub -m SHA256 -x SHA256.sig -o |
20 |
> Trusted signature comment should start with "trusted comment: " |
21 |
> |
22 |
> It doesn't work :/ |
23 |
> Also it has no "verify signed checksums list" mode. |
24 |
|
25 |
Not sure what your files are but those two are definitely bugs in minisign. :/ |
26 |
|
27 |
> > >+ case ${VERIFY_SIG_IMPL} in |
28 |
> > >+ gnupg) |
29 |
> > >+ gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \ |
30 |
> > >+ gpg --verify "${sig}" "${file}" || |
31 |
> > >+ die "PGP signature verification failed" |
32 |
> > >+ ;; |
33 |
> > >+ signify) |
34 |
> > >+ signify -V -p "${key}" -m "${file}" -x "${sig}" || |
35 |
> > >+ die "PGP signature verification failed" |
36 |
> > |
37 |
> > Should be something like "Signify signature verification failed". |
38 |
> |
39 |
> It's still PGP, so the message is accurate. Having different messages |
40 |
> would be inconsistent. That's what I think. |
41 |
|
42 |
Nah, signify has nothing to do with OpenPGP, they are entirely different. |
43 |
|
44 |
OpenPGP is defined in RFC4880 and is implemented by PGP, GnuPG and NetPGP. |
45 |
It notably has non-rotable identity keys, subkeys, keyservers and a web-of-trust. |
46 |
|
47 |
Signify is just barebones signatures from one simple key, with rotation being |
48 |
intended and no designed network protocol. |
49 |
See https://flak.tedunangst.com/post/signify for details. |