Bug#695914: marked as pending
James McCoy
jamessan at debian.org
Thu Dec 20 13:07:24 UTC 2012
On Thu, Dec 20, 2012 at 11:36:16AM +0100, Ansgar Burchardt wrote:
> On 12/20/2012 04:29 AM, James McCoy wrote:
> > commit 0e804cc658e3a00e07873a4be880f3d2769c913f
> > Author: James McCoy <jamessan at debian.org>
> > Date: Wed Dec 19 22:25:01 2012 -0500
> >
> > dscverify: Use "gpg --status-fd" to get more details about validity
> >
> > Simply running "gpg < file" doesn't ensure the content is properly
> > signed. Even when it does, we may not be using the signed content.
> >
> > Using "gpg --status-fd 1 < file" solves both of these issues. Even
> > though it still won't error out with an unsigned file, we'll be able to
> > detect that the content wasn't signed by the lack of a VALIDSIG status.
> > Also, the command will emit the signed content between PLAINTEXT status
> > and any subsequent status lines.
>
> Mixing the status output from gpg and the data is a bad idea. It's
> probably still possible to bypass the check with something like
Good point. I just pushed an update:
http://anonscm.debian.org/gitweb/?p=devscripts/devscripts.git;a=commit;h=3e4b99becfc2e978887f2a52124970318bafe943
Cheers,
--
James
GPG Key: 4096R/331BA3DB 2011-12-05 James McCoy <jamessan at debian.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/devscripts-devel/attachments/20121220/d63aca7a/attachment.pgp>
More information about the devscripts-devel
mailing list