We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
From discussion on some commented out code in our Debian scripts (#85 (comment)):
I took a stab at it and I think it should be something like this GPG_KEYSERVER=pgp.mit.edu GPG_KEYS="1AA043B8 C8B9E30B0DBCAB595E98DF5C965467189B776908" # Download sources wget https://downloads.theforeman.org/${project}/${project}-${VERSION}.tar.bz2 https://downloads.theforeman.org/${project}/${project}-${VERSION}.tar.bz2.sig # Verify with packaging key tmp_keyring="$(mktemp)" gpg2 --no-default-keyring --keyserver $GPG_KEYSERVER --keyring $tmp_keyring --recv-keys $GPG_KEYS if gpg2 --no-default-keyring --keyring $tmp_keyring --verify ${project}-${VERSION}.tar.bz2.sig ; then rm $tmp_keyring true # ok else rm $tmp_keyring exit 2 fi And I did have some issues with pgp.mit.edu, but that's where we upload it: https://github.com/theforeman/theforeman-rel-eng/blob/7d8f8c69f935c7912088dd5137520ddeb165d219/upload_gpg#L15 And yes, we should also specify the long key for the old key since short keys are vulnerable.
I took a stab at it and I think it should be something like this
GPG_KEYSERVER=pgp.mit.edu GPG_KEYS="1AA043B8 C8B9E30B0DBCAB595E98DF5C965467189B776908" # Download sources wget https://downloads.theforeman.org/${project}/${project}-${VERSION}.tar.bz2 https://downloads.theforeman.org/${project}/${project}-${VERSION}.tar.bz2.sig # Verify with packaging key tmp_keyring="$(mktemp)" gpg2 --no-default-keyring --keyserver $GPG_KEYSERVER --keyring $tmp_keyring --recv-keys $GPG_KEYS if gpg2 --no-default-keyring --keyring $tmp_keyring --verify ${project}-${VERSION}.tar.bz2.sig ; then rm $tmp_keyring true # ok else rm $tmp_keyring exit 2 fi
And I did have some issues with pgp.mit.edu, but that's where we upload it: https://github.com/theforeman/theforeman-rel-eng/blob/7d8f8c69f935c7912088dd5137520ddeb165d219/upload_gpg#L15
And yes, we should also specify the long key for the old key since short keys are vulnerable.
The text was updated successfully, but these errors were encountered:
No branches or pull requests
From discussion on some commented out code in our Debian scripts (#85 (comment)):
The text was updated successfully, but these errors were encountered: