Marc Haber wrote:
On Thu, Jan 10, 2019 at 03:47:24PM +0100, Christoph Anton Mitterer wrote:
...
Plus it automatically imports the shipped public key into the keyring
of the executing user… which is IMO also unacceptable.
Agreed, the script should use its own keyring.
The script creates a temporary gpg homedir, imports the key, verifies
the file and then removes the gpg homedir. See function gpg_verify().
So it actually uses its own keyring and does not touch user's ~/.gnupg :-)
Cheers,
Christian
