Re: [Libguestfs] [PATCH 2/2] builder: use a disposable GPG keyring for every Sigchecker
On Friday 21 February 2014 11:10:54 Richard W.M. Jones wrote:
On Thu, Feb 20, 2014 at 11:53:17AM +0100, Pino Toscano wrote:
> Create a temporary directory and tell gpg to use it as homedir, so
> imported keys do not get into the user's keyring. This also avoid
> importing the default key when a different one is needed to check
> the
> signature.
>
> The only exception is when a non-default fingerprint is used: in
> this
> case, that key is read from the user's keyring, since it is where it
> is.
The mkdtemp part is fine. You could spin that off into a separate
commit, so it could be a candidate for backporting.
Hm but it would not be used by anything else so far, so not sure what
would the backport of it actually do.
The rest I found a bit confusing. What does it do exactly?
The idea is to use a disposable keyring for each Sigchecker.t, so
imported keys used for checking won't be imported directly into the
user's keyring. The "exception" would be when asking to use a
fingerprint different than the default one, which would be taken from
the user's keyring.
Currently it does not make much difference, since the only key not in
user's keyring would be only the default one. In the future, external
keys stored in own files would be imported in each Sigchecker.t, so not
tampering the user's keyring.
The current patch is a small step in that direction (the rest is
basically almost done).
I'm not sure what is confusing in the patch though...
--
Pino Toscano