gpg vs gpgv and trustedkeys

Olliver Schinagl oliver at schinagl.nl
Wed Feb 27 21:10:36 CET 2019


Hey Daniel,

On 26-02-2019 07:45, Daniel Kahn Gillmor wrote:
> On Mon 2019-02-25 07:54:33 +0100, Olliver Schinagl wrote:
>> What I am trying to accomplish, is to generate an OS image, which 
>> contains a public gpg key. The public is added using gpg --import and 
>> kets added to the newly created pubkey.gpg.
> I think your description here is missing some background: why do you
> need the public OpenPGP key in your OS image?
Well it is an embedded system, so the OS image is for the embedded
system. During development, engineers also login to the system and may
need to use the gpgv tool to check things. Having to point to the exact
file is just common cause of imstakes 'where was that file again' or 'oh
forgot'. But sure it is manageable, but.
>
> If the goal is just to use it with gpgv (e.g. to verify software updates
> or some other post-build artifact that you'll fetch over the network)
> then i recommend just explicitly pointing gpgv at the curated keyring
> using --keyring, and not bothering with public.gpg or anything else.
Passing it via the argument is 'ok' wouldn't it be for that fact that
option was removed a while ago from gpg. So we where reluctant to use it
with gpgv as it too, could just dissapear.
>
> This is the best approach because it lets you precisely control what is
> being checked against, and you don't have to worry that other uses of
> ~/.gnupg/trustedkeys.{gpg,kbx} might end up polluting the specific check
> you're hoping to make strong.

Sure, but sometimes you don't care about the precise control; just that
it works as expected, which was my question was about. So I do thank you
a lot for taking the time to answer.


However, now that I have the solution (which I kinda guessed) it still
does not explain the discrepancy (and especially any text about it).

Simple example; I have my keys in my keychain generated/created via gpg.
Now I want to use gpgv to validate something, with my key, but now i
explicitly have to point it to the pubkey, because the default of gpgv
is trustedkey. So why the differences? Why are these not in sync, what
is the purpose? If the reason is to force the user to use the parameter,
why set a default, why set a default that does not match the generator.


Thanks :)

Olliver


>
> if you want an analogous example, check out the best-pratice guidance in
> https://wiki.debian.org/DebianRepository/UseThirdParty about using
> isolated keys per repository (with apt's Signed-By: options).
>
> Regards,
>
>         --dkg





More information about the Gnupg-users mailing list