Will gpg 1.x remain supported for the foreseeable future?

[Dan Kegel]

On Thu, Jan 18, 2018 at 7:52 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> if this is the only thing happening, apt will indeed fail, because it
> has never heard of the "new key" that was just created -- why should it
> accept signatures from that new key?
>
> how are you configuring the target system to point to the repo?  how are
> you telling it where to find the key?

By installing my package, which drops the key into /usr/share/keyrings
and creates the lists.d entries with signed-by.  That ought to suffice,
I gather, but I'm tripping over shoelaces somewhere.

> this looks strange to me -- you seem to be using a --keyring that is
> *inside* the GNUPGHOME that you've set
> (/tmp/obs_localbuild_gnupghome_dank.tmp/).
>
> that GnuPG homedir is really not part of the GnuPG API contract -- and
> anything you put in that homedir could potentially be overwritten by
> GnuPG itself.   How is
> /tmp/obs_localbuild_gpghome_dank.tmp/keyrings/localhost.gpg being
> generated?

It's just a regression test script. I'm cleaning it up and will post
it once it's legible and avoids sins like that.

> The keys referred to via signed-by are the only acceptable keys for the
> associated apt repo.
>
> does that make sense?

That'd be great if it worked.  Since it's hard to explain what's broken
without a simple script showing exactly what I'm doing, let's just
hold that thought until I post one.
- Dan