[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnu-arch-users] signing rules
From: |
David Allouche |
Subject: |
Re: [Gnu-arch-users] signing rules |
Date: |
Sat, 12 Mar 2005 16:04:10 +0100 |
On Wed, 2005-03-09 at 00:03 +1100, Robert Collins wrote:
> I wonder if folk would be kind enough to let me know what signing and
> check rules they are using?
>
> I'm implementing a prototype of
> http://wiki.gnuarch.org/moin.cgi/SigningRules - and knowing what
> \=default.check and archive specific check rules are in use, will let me
> provide auto-conversion code for the common case users.
>
> So - please let me know what you use - and if someone else has already
> said they use the same rule, still let me know :).
=default.check
tla-gpg-check gpg_command="gpg --verify-files -"
That's, well, the default.
address@hidden (and other check rules)
~/.arch-params/bin/my-gpg-check jblack
Each archive uses a named keyring.
All keyrings have only one key so far.
~/.arch-params/bin/my-gpg-check
#! /bin/sh
if test $# -ne 1 ; then
echo "Usage: my-gpg-check KEYRING" >&2
exit 1
fi
opts="--keyring ~/.arch-params/keyrings/$1.gpg --no-default-keyring"
exec ~/.arch-params/bin/quietify -out \
tla-gpg-check gpg_command="gpg $opts --verify-files -"
That's mostly a wrapper that uses the quietify script.
~/.arch-params/bin/quietify
set -e
self=`basename "$0"`
usage () {
cat <<EOF
Usage: $self [-out] CMD ARG ...
Execute CMD with the given ARGS.
Stderr is redirected to a temporary file. If CMD exits with a non-zero
status, the contents of the temporary file are printed to stderr.
--out also redirect stdout
EOF
}
if test "$1" = "-out" ; then
shift
redirect_stdout=true
else
redirect_stdout=false
fi
if test $# -lt 1 ; then
usage >& 2
exit 1
fi
finish () {
set +e
if test $1 -ne 0 && test -n "$logfile" && test -f "$logfile" ; then
cat "$logfile" >&2
fi
rm -f "$logfile"
exit $1
}
for i in 1 2 3 10 12 13 15 ; do
trap "finish 1" $i
done
logfile=$(mktemp ,"$self"-"$(basename "$1")".XXXXXX)
set +e
if $redirect_stdout ; then
"$@" > "$logfile" 2>&1
status="$?"
else
"$@" 2> "$logfile"
status="$?"
fi
set -e
finish "$status"
IIRC the point of this script is shutting down verbosity, but still
having it handy for diagnostic if something went wrong.
It's quite possible that this effect could have been achieved by passing
the appropriate options to gpg, but at the time I was completely scared
by this software. Toooooo many options.
In a nutshell this setup provides:
* One keyring per archive.
* No needless verbosity.
* Useful diagnostic output in case of failure.
* Relatively easy addition of new archives.
--
-- ddaa
- Re: [Gnu-arch-users] signing rules, (continued)