sopv-gpgpv: an implementation of the verification-only subset of the Stateless OpenPGP CLI using gpgv as a backend

Todd Zullinger tmz at pobox.com
Fri Jul 26 15:54:32 CEST 2024


Hello,

Werner Koch via Gnupg-users wrote:
> while talking about gpgv, let me remind you about the new
> --assert-signer option which can be used as a replacement for gpgv.

In a similar way, is there anyone able and interested in
helping to move https://dev.gnupg.org/T2290 (Allow gpgv2 to
use armored GPG keys as keyring file with trusted keys)
forward?

A reasonably common use case for gpgv is to verify
signatures on release artifacts by distribution packaging
tools.  Being able to use the upstream provided key
material, which is typically armored, would make things a
bit simpler and easier to verify for people interested in
ensuring those packages are using the proper key material
and are not introducing any issues.

In the Fedora/Red Hat world, a gpgverify script has been
added which must call `gpg --dearmor` to strip the armor
from an upstream key, requiring tmp files and such.  I
imagine this similarly affects Debian-based packages as
well.

It would be cleaner to just call gpgv (or some form of gpg
with --assert-signer, perhaps).

-- 
Todd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240726/be79ce79/attachment.sig>


More information about the Gnupg-users mailing list