Releasing 2.0.3
Dan Villiom Podlaski Christiansen
danchr at gmail.com
Tue Sep 6 23:09:14 PDT 2011
On 6 Sep 2011, at 11:24, Rainer Müller wrote:
> On 09/06/2011 10:06 AM, Anders F Björklund wrote:
>> Rainer Müller wrote:
>>> They are detached signatures created with GnuPG:
>>>
>>> gpg --armor --detach-sign MacPorts-2.0.3-10.5-Leopard.dmg
>>>
>>> Of course this requires a previous set up of a PGP key which would be
>>> quite useless without signatures proofing your identify.
>>
>> Wouldn't you also need GnuPG, in order to verify it ?
>>
>> Like, before installing MacPorts.
>
> Well, this is exactly the reason it's not a mandatory step documented in the ReleaseProcess as it has known problems.
>
> As an alternative, we could create detached rmd160 signatures using openssl as we do for the packages now. But you would need a public key to verify them. That key needs to be verified as well against a known authority (which?). Where should we publish it?
>
> I don't know any good solution for this.
Have you considered signing them with a CMS/PKCS #7 signature? You should be able to use any standard email certificate; verification could be done using either ‘security cms’ (or perhaps ‘openssl smime’) provided the certificate is trusted in a standard Mac OS X installation.
--
Dan Villiom Podlaski Christiansen
danchr at gmail.com
More information about the macports-dev
mailing list