gpg_verify 1.0 feedback

Steven Smith steve.t.smith at gmail.com
Fri Sep 25 01:51:30 UTC 2020


> I imagine there could be a much simpler interface for this using this PortGroup, making it more appealing to add it to ports. … The PortGroup would handle fetching the .sig or .asc file

Certainly port group gpg_verify can be improved.

However, reliance on accessing key servers is a Very Bad Idea™️ and doomed to fail. See the internet and previous discussions on this port group for the myriad reasons why this is.

> I think that gpg signature verification is something that belongs in
> maintainer-facing tools rather than in Portfiles. If the maintainer
> verifies the distfile's signature before updating the checksums, the
> user gets close to the same assurances while avoiding a lot of complexity.
> 
> I always verify before updating if the project provides signatures, and
> I would hope others do the same, but also wouldn't be surprised if some
> don't. 

Checksumming commands, especially gnupg ones, are arcane, error-prone, and add complication and time *especially* when done by hand.

If they’re not automated, they won’t be used. I wouldn’t trust them to be used (even by myself) for these reasons.

The simplest solution is a gpg verification block in the Portfile in the very few cases where it’s appropriate, rather than building an additional macports tool to do this. But if someone wants to take this on, then fine as long as it’s automated.

Steve
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3898 bytes
Desc: not available
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20200924/669c2866/attachment.bin>


More information about the macports-dev mailing list