Harden get-latest-pulsecore.sh #166
Conversation
| for key in "${trusted_signers[@]}"; do | ||
| echo "$key:6:" | gpg --import-ownertrust | ||
| for i in keyserver.ubuntu.com keys.openpgp.org pgp.mit.edu keyserver.pgp.com; do | ||
| sq keyserver --server "$i" get --binary -- "0x$key" && break | ||
| done | ||
| done | gpg --homedir=../gnupg-tmp --import --no-armor | ||
| gpg --homedir=../gnupg-tmp --export -- "${trusted_signers[@]}" | gpg --import --no-armor | ||
|
|
||
| for key in "${trusted_signers[@]}"; do | ||
| echo "$key:6:" | ||
| done | gpg --import-ownertrust |
There was a problem hiding this comment.
Why two keyrings and all this dance?
But also, I don't like using both sequoia and gnupg. If sequoia can handle all the tasks (including git tag verification), then switch completely, otherwise stick with gnupg (and perhaps commit pubkeys into the repo to avoid keyservers interaction).
There was a problem hiding this comment.
Because I don’t want to rely on GnuPG’s networking code, but Git does not support Sequoia. Committing the public keys to the repo is a simpler solution.
There was a problem hiding this comment.
Besides the thing above (which is still relevant), why two temporary gpg's homedirs? Does sq keyserver get potentially fetches a different key than it was asked for?
There was a problem hiding this comment.
I think I can use the chameleon version of Sequoia.
This uses stricter input validation and key handling. It also uses Sequoia instead of GnuPG for key fetching.
DemiMarie
force-pushed
the
harden-pulsecore-get
branch
from
c403c1e
to
77a8b02
Compare
This uses stricter input validation and key handling. It also uses
Sequoia instead of GnuPG for key fetching.