bug-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22883: Trustable "guix pull"


From: Vagrant Cascadian
Subject: bug#22883: Trustable "guix pull"
Date: Sun, 02 Sep 2018 10:15:19 -0700

On 2018-09-02, Ludovic Courtès wrote:
> Vagrant Cascadian <address@hidden> skribis:
>> I really don't like having a custom GNUPGHOME, but I didn't see any
>> other obvious way to pass arguments to git to use a custom keyring. I
>> populated this GNUPGHOME with keys from:
>>
>>   
>> https://savannah.gnu.org/project/memberlist-gpgkeys.php?group=guix&download=1
>>
>> And then ran gpg --refresh-keys on it, as several keys were
>> outdated/expired.
>
> ‘gpgv’, which is recommended for this use case, has a ‘--keyring’
> argument.  I suppose we could use that.

I'm not sure how to get git to use gpgv instead of gpg, and extracting
the information out of git and then implementing some external
verification process, while possible, is likely error-prone.

A feature request to git to allow passing gpg arguments or use gpgv
would be the best way forward in the long-term.


live well,
  vagrant

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]