Hi all,
In order to allow users to verify binary packages Gentoo's portage
offers the option to sign any generated binary packages after
installation. For this to work the configured signing key is unlocked
once before a job starts, and it should then remain unlocked until
portage completes the job.
Currently the way this is accomplished involves periodically signing
/dev/null, code snippet below:
self.GPG_unlock_command = self.GPG_signing_base_command.replace(
"[PORTAGE_CONFIG]",
f"--homedir {self.signing_gpg_home} "
f"--digest-algo {self.digest_algo} "
f"--local-user {self.signing_gpg_key} "
"--output - /dev/null",
)
Recently we fixed a bug[1][2] in this code that caused /dev/null to be
removed if GnuPG failed to unlock the key. This however prompted the
question if there is not a more elegant way to do this.
Signing /dev/null feels like more of a hack then an actual solution to
keeping the key unlocked until portage finishes. Therefore I would like
to ask you if you have any better ideas to do this?
Best regards,
Andrew
[1] https://bugs.gentoo.org/912808
[2]
https://github.com/gentoo/portage/commit/9d278330839049a818ba9f1e3985c7e502c63451
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
In order to allow users to verify binary packages Gentoo's portage
offers the option to sign any generated binary packages after
installation. For this to work the configured signing key is unlocked
once before a job starts, and it should then remain unlocked until
portage completes the job.
Currently the way this is accomplished involves periodically signing
/dev/null, code snippet below:
self.GPG_unlock_command = self.GPG_signing_base_command.replace(
"[PORTAGE_CONFIG]",
f"--homedir {self.signing_gpg_home} "
f"--digest-algo {self.digest_algo} "
f"--local-user {self.signing_gpg_key} "
"--output - /dev/null",
)
Recently we fixed a bug[1][2] in this code that caused /dev/null to be
removed if GnuPG failed to unlock the key. This however prompted the
question if there is not a more elegant way to do this.
Signing /dev/null feels like more of a hack then an actual solution to
keeping the key unlocked until portage finishes. Therefore I would like
to ask you if you have any better ideas to do this?
Best regards,
Andrew
[1] https://bugs.gentoo.org/912808
[2]
https://github.com/gentoo/portage/commit/9d278330839049a818ba9f1e3985c7e502c63451
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users