From: Peter Hanecak (hanecak@megaloman.com)
Date: Sun Nov 05 2000 - 13:01:09 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
finaly I managed to come back to my rpm2html experiments and I finished
"resolving" of signatures: every PGP and GPG signature is verified using
GnuPG and result is included in .html output. Primary goal was to actualy
see info like "package GPG signed by Joe Redneck" in .html output.
Notes:
1) you have to use:
autoconf # to up-date configure
./configure --with-gpg # to create proper Makefile
to have this work
2) current implementation requires librpmio
3)
- - rpm2html-1.5-sig-resolve.patch is patch against (hopefuly) latest CVS
snapshot (with basic signature processing alredy included)
- - rpm2html-1.5-sig-4.patch is patch against "vanilla" rpm2html 1.5
4) MD5 checksums are not verified because:
a) PGP/GPG verification is there just because I did not found other way
to extract key/signator information from signature itself other than
actualy verifying it
b) EVERY RPM package should have at least MD5 checksum signature so for
BIG archives it makes BIG difference if rpm2html verifyies also MD5
checksums
c) at the end, every user MUST or SHOULD check those signatures for
themselves either after downloading packages so I consider it enought to
just "dump" MD5 checksum into .html output.
But, if someone want to verify also MD5 signatures, it should not be very
hartd to add (IMO). Anyone interested?
So that's all for now.
Sincerely
Hany
- --
===================================================================
Peter Hanecak <hanecak@megaloman.com>
GPG pub.key: http://www.megaloman.com/gpg/hanecak-megaloman.txt
===================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE6BaBq1rzDsblwlA8RAgbxAJ9cWQqQIWNlycf19x7WzvpaDH1DRACglgrd
sIA+fXQbHTCZYdoU3bksTYU=
=xsAC
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b29 : Thu May 10 2001 - 18:40:13 EDT