[PD-dev] Deken GPG signing question

[IOhannes m zmölnig]

On 10/25/19 2:05 PM, Jamie Bullock wrote:
> 
> Regarding Deken’s GPG signing step… it seems that a “package” or “upload” succeeds even if I type an incorrect GPG password. I discovered this because I accidentally typed a wrong password and the upload still went through without errors.
> 
> Can someone explain GPG works with regard to Deken, and what the consequence is if the wrong password was typed? 

so far, GPG-signing of deken-package is purely optional.
(and as of now, the deken-plugin doesn't have a way to verify
GPG-signatures of downloaded packages; there's an open issue at [208])

"purely optional" means, that if the user doesn't have GPG-installed
and/or doesn't have a GPG-key, they can (and will) upload packages
without a signature.

as a side-effect, it seems that users who have GPG-installed and have a
GPG-key, but fail to properly sign the packages (e.g. because they
mistyped their password), will fall under the "optional" clause and get
their packages uploaded without a GPG-signature.

this is arguably the wrong consequence - instead the process should
terminate with a hard failure (but still allow to upload packages
without GPG-signatures if the user doesn't have that setup).
probably somebody should create a ticket on github.
i'm pretty confident that this case was never actually tested (which
explains the broken handling).

i hope this makes it a bit clearer.



gamrds
IOhannes



[208] https://github.com/pure-data/deken/issues/208

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.puredata.info/pipermail/pd-dev/attachments/20191027/d63c8d44/attachment.sig>