gpg vs gpgv and trustedkeys

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Feb 26 07:45:51 CET 2019


On Mon 2019-02-25 07:54:33 +0100, Olliver Schinagl wrote:
> What I am trying to accomplish, is to generate an OS image, which 
> contains a public gpg key. The public is added using gpg --import and 
> kets added to the newly created pubkey.gpg.

I think your description here is missing some background: why do you
need the public OpenPGP key in your OS image?

If the goal is just to use it with gpgv (e.g. to verify software updates
or some other post-build artifact that you'll fetch over the network)
then i recommend just explicitly pointing gpgv at the curated keyring
using --keyring, and not bothering with public.gpg or anything else.

This is the best approach because it lets you precisely control what is
being checked against, and you don't have to worry that other uses of
~/.gnupg/trustedkeys.{gpg,kbx} might end up polluting the specific check
you're hoping to make strong.

if you want an analogous example, check out the best-pratice guidance in
https://wiki.debian.org/DebianRepository/UseThirdParty about using
isolated keys per repository (with apt's Signed-By: options).

Regards,

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20190226/0ca025de/attachment.sig>


More information about the Gnupg-users mailing list