Skip to content
This repository was archived by the owner on Jun 21, 2018. It is now read-only.

Verify the signature on dotfiles when creating a homedir#97

Merged
KellerFuchs merged 2 commits into
hashbang:masterfrom
KellerFuchs:gpg
Jun 19, 2016
Merged

Verify the signature on dotfiles when creating a homedir#97
KellerFuchs merged 2 commits into
hashbang:masterfrom
KellerFuchs:gpg

Conversation

@KellerFuchs

Copy link
Copy Markdown
Member

This is done in two steps:

  1. make a world-readable, role-based, GnuPG keyring;
  2. use it to check the signature of the git HEAD when cloning the dotfiles repo.

@KellerFuchs

KellerFuchs commented Jun 18, 2016

Copy link
Copy Markdown
Member Author

Don't merge yet, I forgot some etckeeper stuff.
Should be ready to go.

@lrvick Ping!

Comment thread skel/.bash_profile Outdated

cat > "${GNUPGHOME}/gpg.conf" <<EOF
# Never, ever, ever do this in your personal gpg.conf
# However, this is sane when you know use an empty GNUPGHOME

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sane when you know use an empty

huh?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, missing word in the comment.
Thanks

@KellerFuchs

Copy link
Copy Markdown
Member Author

I tested it on my kellertest account (adapting the thing to have the keyring in ~/hashbang-admins.gpg, temporarily).

Both the “good” (valid signature) case and the “unknown signer” case work.
I didn't test the “no signature” case, but git verify-commit will also error-out on it.

@KellerFuchs

Copy link
Copy Markdown
Member Author

@daurnimator Any comment, now that I fixed the missing word?

@daurnimator

Copy link
Copy Markdown
Member

Can't see anything wrong with it.

Not something I see the point of; but whatever, merge it.

@KellerFuchs

Copy link
Copy Markdown
Member Author

OK.

@daurnimator FYI, the point of hashbang/hashbang#14 is not to trust Github ultimately.
Of course, there is no point in taking care of dotfiles when shell-etc is also pulled from Github, I was just starting with the low-hanging fruit.

@KellerFuchs KellerFuchs merged commit 8678cd2 into hashbang:master Jun 19, 2016
@KellerFuchs KellerFuchs deleted the gpg branch June 19, 2016 17:45
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants