On Sat, Feb 08, 2020 at 07:26:33AM -0700, Aaron Bieber wrote: > Here is a tool I built to simplify the verification of gnupg signatures. What does ogvt stand for?
> It's pretty straight forward, it takes a file, a pubkey and a signature. If > everything matches you get a list of the valid identities and a "Signature OK" > message. Can you wip up a small manual? > The goal for this is to open up the door to validating signatures from > upstream by allowing us to store a public key in a port > (mail/mutt/files/pubkey for example). That will only be possible on archs with lang/go but still better than nothing, thanks for your work! > For a functional example see sthen@'s modification that uses gpg: > https://marc.info/?t=157687704400002&r=1&w=2 > > If you add mutt's pubkey in mail/mutt/files/pubkey and replace the line that > calls gpg2 with: > ogvt -sig $$file -file ${DISTFILES} -pub ${FILESDIR}/pubkey|| OK=false; \ > > One can validate the signature with 'make checksum' Perhaps a separate verify target that only does cryptographic signatures? > Cluesticks? OKs? Works as advertised, we can shake stuff out in-tree. OK kn
