From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 04 21:44:34 2016 Received: (at 22883) by debbugs.gnu.org; 5 Jun 2016 01:44:34 +0000 Received: from localhost ([127.0.0.1]:54787 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b9N7C-0006Rm-8Y for submit@debbugs.gnu.org; Sat, 04 Jun 2016 21:44:34 -0400 Received: from eggs.gnu.org ([208.118.235.92]:57319) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1b9N79-0006RW-Da for 22883@debbugs.gnu.org; Sat, 04 Jun 2016 21:44:33 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b9N73-0001QR-9s for 22883@debbugs.gnu.org; Sat, 04 Jun 2016 21:44:26 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,RP_MATCHES_RCVD autolearn=disabled version=3.3.2 Received: from fencepost.gnu.org ([2001:4830:134:3::e]:47970) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b9N6e-0001Pe-P5; Sat, 04 Jun 2016 21:44:00 -0400 Received: from localhost ([::1]:53784 helo=mikegerwitz-pc.gerwitz.local) by fencepost.gnu.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.82) (envelope-from ) id 1b9N6c-0001vb-LQ; Sat, 04 Jun 2016 21:43:58 -0400 From: Mike Gerwitz To: Werner Koch Subject: Re: bug#22883: Trustable "guix pull" In-Reply-To: <87fustj59o.fsf@wheatstone.g10code.de> (Werner Koch's message of "Sat, 04 Jun 2016 18:19:31 +0200") Date: Sat, 04 Jun 2016 21:43:29 -0400 Message-ID: <877fe4v29q.fsf@gnu.org> References: <87io14sqoa.fsf@dustycloud.org> <87fustj59o.fsf@wheatstone.g10code.de> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.0.92 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 2001:4830:134:3::e X-Spam-Score: -6.4 (------) X-Debbugs-Envelope-To: 22883 Cc: 22883@debbugs.gnu.org, Justus Winter , neal@walfield.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.4 (------) --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Sat, Jun 04, 2016 at 18:19:31 +0200, Werner Koch wrote: > There are no issues with l10n because _all_ scripts SHOULD use gpg with > the options --status-fd and --with-colons. That output creates a well > defined API and we try very hard never to break it. > [...] > I have never looked into git to check whether git correctly calls gpg > to verify signatures. That should eventually be done. A quick glance (latest master, gpg-interface.c:208 verify_signed_buffer): It invokes `gpg --status-fd=3D1 --verify FILE -`, where FILE is a signature written to a temporary file for the sake of invoking GPG. It checks for a non-zero exit code and GOODSIG: ret |=3D !strstr(pbuf->buf, "\n[GNUPG:] GOODSIG "); =2D-=20 Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer https://mikegerwitz.com FSF Member #5804 | GPG Key ID: 0x8EE30EAB --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXU4PCAAoJEPIruBWO4w6rvUkQAL+wAjJzmREj9S0QpxTXyuof X+gSnbbj4BMnpPwHEHZZWJDl0dFaGe2Pa6mhzFHvHi0I4NhN29IxyxyjwPyKnRpt Ou3Oy/CkVQDg4K0psiP3/80Ga89vydzilsa76ImuJVznd+NwzyaaUqL4rJs7ruPK xqIHzput0540HmgP8l6BUSE5eMjXAMzT3j0Rg4BVayuV1neP4U+jWfKw7AU7Tpz0 5o9+8ZzbWy6hjp4XhhK5q3q3oYN0/5wzJVpbTvfbMd3mqb28HE4w1Gx9B8/sCkr8 LoMdphhzbmAGIZCHp1L80HYeCpiXxFIG4xacOUGkTQBJaqmuWDYk8YEAWLNq8F5C BX2ziDaMQDkogp3eUk/Ttj18enmNjyPjU8QS9V8fA6NpYEDJOEvqLn7pYR0zTHXD GV9XNzB6qoBPVyZsFJ8jPlL0ABQpdPeNpujvHqZIBVbBxcvlsWRjnfCqaHNNU8GR ywWGRCTErHZhGv8f9v9Rp/++JcR69c33ugqoNQlhNBED9VbGuffwRtsQnNVDMI7p vrqJB9b4RNeMHD9YTNPUorCXOSfiqkrSWhczZOnpk1ZAAcmG+ct/d71CPMLwyscr BqOqVn/YqwCEgCQov2wgg3L3yVkxSF3JfpCehA+OvKylEUerpNFGPGxpTY2cCNlD 47dtn5nCiyvDTBs3d7uR =zLgc -----END PGP SIGNATURE----- --=-=-=--