Hello community, here is the log from the commit of package gpg-offline for openSUSE:Factory checked in at 2012-11-30 12:21:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gpg-offline (Old) and /work/SRC/openSUSE:Factory/.gpg-offline.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "gpg-offline", Maintainer is "" Changes: -------- --- /work/SRC/openSUSE:Factory/gpg-offline/gpg-offline.changes 2012-11-28 10:33:33.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.gpg-offline.new/gpg-offline.changes 2012-11-30 12:21:09.000000000 +0100 @@ -1,0 +2,12 @@ +Thu Nov 29 19:47:36 CET 2012 - sbrabec@suse.cz + +- Fix return code of --verify. +- Fix invalid concatenation of keyrings in --add. +- Add --list. +- Improve verbose output. +- Do not use %{sources}. It is incompatible with old rpm. +- Add more options to rpm macros. +- Add PACKAGING.HOWTO. +- Improve texts. + +------------------------------------------------------------------- Old: ---- gpg-offline.man New: ---- gpg-offline.PACKAGING.HOWTO gpg-offline.man.in ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gpg-offline.spec ++++++ --- /var/tmp/diff_new_pack.haDSXt/_old 2012-11-30 12:21:10.000000000 +0100 +++ /var/tmp/diff_new_pack.haDSXt/_new 2012-11-30 12:21:10.000000000 +0100 @@ -15,19 +15,22 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + Name: gpg-offline Version: 0.1 Release: 0 Summary: Trusted GPG Offline Keyring Manipulation Tool -Group: Hardware/Other License: GPL-2.0+ +Group: Hardware/Other Source: %{name}.gopts Source1: %{name}.COPYING Source2: genopts Source3: %{name}.macros -Source4: %{name}.man +Source4: %{name}.man.in +Source5: %{name}.PACKAGING.HOWTO BuildRequires: gpg2 -Requires: diffutils gpg2 +Requires: diffutils +Requires: gpg2 BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -43,10 +46,12 @@ %prep %setup -q -T -c -cp -a %{sources} . +cp -a %{S:0} %{S:1} %{S:2} %{S:3} %{S:4} %{S:5} . mv %{name}.COPYING COPYING +mv %{name}.PACKAGING.HOWTO PACKAGING.HOWTO %build +sed s:@docdir@:%{_docdir}/%{name}:g <%{name}.man.in >%{name}.man bash ./genopts %{name} %install @@ -60,7 +65,7 @@ %files %defattr(-,root,root) -%doc COPYING +%doc COPYING PACKAGING.HOWTO %{_bindir}/* %doc %{_mandir}/man1/*.* /etc/rpm/macros.* ++++++ gpg-offline.PACKAGING.HOWTO ++++++ Packaging with gpg-offline ========================== gpg-offline allows packager to use and verify signatures independently on network access. It makes possible to verify signatures in a network-less sandboxes. Contents: First time adding to the spec file Prepare if I have only a trusted signature Prepare if I already have a trusted keyring Common step: create spec file Version upgrade in the spec file Signing key was changed in upstream Package review Automatic check Build Service use First time adding to the spec file ---------------------------------- GPG signature verification expects presence of signer in the web of trust. It is often not true for packaging upstream packages. So you have to trust them using inferior methods, e. g. time continuity: Signature downloaded a year ago uses the same signing key as the current one. Prepare if I have only a trusted signature - - - - - - - - - - - - - - - - - - - - - If you have a trusted signature and you want to create keyring: gpg --verify mypackage.tar.gz.sig Online GPG verification will be performed. You will get a text containing description and ID of the signing key. Pick the key ID from the output and and call: gpg-offline --package={my_package} --add {key_id} Example: ~/OSC/openSUSE:Factory/libnetfilter_acct> gpg --verify *.sig gpg: Signature made Tue Oct 9 00:42:06 2012 CEST using RSA key ID BB5F58CC gpg: Good signature from "Netfilter Core Team <coreteam@netfilter.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 57FF 5E9C 9AA6 7A86 0B55 7AF7 A411 1F89 BB5F 58CC ~/OSC/openSUSE:Factory/libnetfilter_acct> gpg-offline --package=${PWD##*/} --add BB5F58CC gpg: key BB5F58CC: "Netfilter Core Team <coreteam@netfilter.org>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 Prepare if I already have a trusted keyring - - - - - - - - - - - - - - - - - - - - - - gpg-offline keyrings are standard armored GPG keyrings that contains text header that must exactly match to the keyring contents. If you already have a trusted keyring in another format (e. g. plain or armored keyring without a header), it is easy to convert it to gpg-offline format. Rename it to {my_package}.keyring, and the use gpg-offline --refresh command. The command will present an error to you, but you can silently ignore it: Yes, you are aware that text header does not match (or does not exist). (You can use --offline option to perform only the refresh and don't search keyservers.) Example: ~/OSC/openSUSE:Factory/apache2> gpg-offline --package=${PWD##*/} --refresh ... ERROR: apache2.keyring is a valid armored GPG keyring, but the the human readable description does not correspond to its contents. It could be only a cosmetic change, but it may also indicate malicious keyring. ... If you really want to accept these changes, please finish it by call: mv apache2.keyring.new apache2.keyring ~/OSC/openSUSE:Factory/apache2> mv apache2.keyring.new apache2.keyring ~/OSC/openSUSE:Factory/apache2> Common step: create spec file - - - - - - - - - - - - - - - Suppose that you have a signature and {my_package}.keyring. You are ready to edit the spec file. Spec file preamble should contain the tarball, the signature and the keyring and require the gpg-offline package: Source: http://{url_path_to_your_project}/%{name}-%{version}.tar.bz2 +Source1: http://{url_path_to_your_project}/%{name}-%{version}.tar.bz2.sig +Source2: %{name}.keyring +BuildRequires: gpg-offline And %prep section should perform the verification step: %prep +%gpg_verify %{S:1} %setup -q (See /etc/rpm/gpg-offline.macros comments for all available options of %gpg_verify.) You are done! Version upgrade in the spec file -------------------------------- If you are upgrading the version, you have to upgrade the signature as well. If the signing key did not change, you are done. If the signing key changed, please do additional steps to verify, that the new signing key is valid. There is a risk of a malicious signature using malicious signing key! Do not blindly trust the sigining key header! Using gpg-offline --add and gpg-offline --delete commands upgrade your keyring. Submit the package and describe signing key change to the reviewer. Signing key was changed in upstream -------------------------------- If the signing key changed in upstream (new signature, expiration change etc., please use gpg-offline --refresh command. Submit the package and describe signing key change to the reviewer. Package review -------------- Verify that %gpg_verify is properly called in the %prep or %build stage. If you are unsure about the signing key, you can verify the keyring online by gpg-offline --review. You should always see OK message: {my_package}.keyring is a valid armored GPG keyring and the human readable description corresponds to its contents. Take special care if the public key is not present on upstream servers. (But it is generally OK to not upload their public keys to keyserver and publish trusted public key in an another way.) Example: ~/OSC/openSUSE:Factory/libnetfilter_acct> gpg-offline --package=${PWD##*/} --review gpg: refreshing 1 key from hkp://subkeys.pgp.net gpg: requesting key BB5F58CC from hkp server subkeys.pgp.net gpg: key BB5F58CC: "Netfilter Core Team <coreteam@netfilter.org>" 3 new signatures gpg: Total number processed: 1 gpg: new signatures: 3 gpg: no ultimately trusted keys found pub 4096R/BB5F58CC 2010-10-21 [expires: 2015-10-20] uid Netfilter Core Team <coreteam@netfilter.org> sub 4096R/04B92F5C 2010-10-21 [expires: 2015-10-20] libnetfilter_acct.keyring is a valid armored GPG keyring and the human readable description corresponds to its contents. Automatic check --------------- You can also perform automatic check by gpg-offline --review --offline. If will only check, that packager did not falsified keyring header, and nothing else. This check can be performed offline and you can use return code to fail. Example: ~/OSC/openSUSE:Factory/libnetfilter_acct> gpg-offline --package=${PWD##*/} --review --offline pub 4096R/BB5F58CC 2010-10-21 [expires: 2015-10-20] uid Netfilter Core Team <coreteam@netfilter.org> sub 4096R/04B92F5C 2010-10-21 [expires: 2015-10-20] libnetfilter_acct.keyring is a valid armored GPG keyring and the human readable description corresponds to its contents. Build Service use ----------------- If you need to build your package for older products and don't want to mess spec file with %ifs, you can link or aggregate gpg-offline from devel:tools:building or use following trick with "osc meta prjconf": --- Cut here ---- %if 0%{?suse_version} <= 1220 Substitute: gpg-offline %endif Macros: %gpg_verify(dnf) \ %if 0%{?suse_version} > 1220\ echo "WARNING: Using %%gpg_verify macro from prjconf, not from gpg-offline package."\ gpg-offline --directory="%{-d:%{-d*}}%{!-d:%{_sourcedir}}" --package="%{-n:%{-n*}}%{!-n:%{name}}""%{-f: %{-f*}}" --verify %{**}\ %else\ echo "WARNING: Dummy prjconf macro. gpg-offline is not available, skipping %{**} GPG signature verification!"\ %endif\ %nil ----------------- ++++++ gpg-offline.gopts ++++++ --- /var/tmp/diff_new_pack.haDSXt/_old 2012-11-30 12:21:10.000000000 +0100 +++ /var/tmp/diff_new_pack.haDSXt/_new 2012-11-30 12:21:10.000000000 +0100 @@ -41,15 +41,15 @@ Offline verify files in packages that they are signed by selected signatures. Manipulate selected signatures in keyring. -@option FILE -f --keyring=FILE -specifies keyring file - @option PACKAGE -p --package=PACKAGE specifies package name (i. e. file name without suffix, equivalent to --keyring="${DIR:-$PWD}/$PACKAGE.keyring") @option DIRECTORY --directory=DIR --package searches for keyring in DIR +@option FILE -f --keyring=FILE +specifies keyring file + @switch ADD -a --add Adds keys specified in ARGUMENT for inclusion to the package trusted keyring (run in the source directory) @@ -61,12 +61,15 @@ @switch REVIEW -r --review reviews the keyring and its human readable corresponds with the contents -@switch VERIFY -c --verify -verifies signature of selected source files - @switch REFRESH -R --refresh refreshes the keyring and its human readable corresponds with the contents +@switch LIST -l --list +lists keyring contents (exactly equal to --review --offline) + +@switch VERIFY -c --verify +verifies signature of selected source files + @switch OFFLINE -O --offline does not verify up-to-date status online (use with --review or --refresh) @@ -78,13 +81,38 @@ shopt -s nullglob -# vrun comment command args -# verbose echo and run command -function vrun { +# vvrun comment command args +# verbose level 0: run command and redirect stderr to /dev/null +# verbose level 1: run command +# verbose level >=2: echo and run command +function vrun2 { if $OPTARG_VERBOSE ; then - echo >&2 -e "\\n$1" + if test $OPTCNT_VERBOSE -gt 1 ; then + echo >&2 -e "\\n$1" + shift + echo >&2 " $*" + else + shift + fi + "$@" + else shift - echo >&2 " $*" + "$@" 2>/dev/null + fi +} + +# vvrun comment command args +# verbose level <2: run command +# verbose level >=2: echo and run command +function vvrun { + if $OPTARG_VERBOSE ; then + if test $OPTCNT_VERBOSE -gt 1 ; then + echo >&2 -e "\\n$1" + shift + echo >&2 " $*" + else + shift + fi else shift fi @@ -92,11 +120,11 @@ } function temp_setup { - TEMP=~/.gpg-upstream-keys/ + TEMP=~/.gpg-offline/ # Note: we use ~/.gnupg to prevent problems inside osc generated paths containing ":". rm -rf ${TEMP}key.$$ ${TEMP}keyring.$$ ${TEMP}keyringdesc.$$ ${TEMP}keyringdesc.no-expired-string.$$ ~/.gnupg/gpg-offline.$$* - mkdir -p ~/.gpg-upstream-keys - trap "eval rm -rf ${TEMP}key.$$ ${TEMP}keyring.$$ ${TEMP}keyringdesc.$$ ${TEMP}keyringdesc.no-expired-string.$$ ~/.gnupg/gpg-offline.$$* \$TEMP_FILES ; rmdir --ignore-fail-on-non-empty ~/.gpg-upstream-keys" EXIT + mkdir -p ~/.gpg-offline + trap "eval rm -rf ${TEMP}key.$$ ${TEMP}keyring.$$ ${TEMP}keyringdesc.$$ ${TEMP}keyringdesc.no-expired-string.$$ ~/.gnupg/gpg-offline.$$* \$TEMP_FILES ; rmdir --ignore-fail-on-non-empty ~/.gpg-offline" EXIT } # keyring_add keyring_op keyring_from keyring_to @@ -107,39 +135,39 @@ temp_setup if test -f $2 ; then - vrun "Import existing keyring to the temporary keyring:"\ + vrun2 "Import existing keyring to the temporary keyring:"\ gpg --no-default-keyring --keyring gpg-offline.$$ --import <$2 fi keyring_op_$1 - vrun "Export the keyring in ASCII form:"\ + vvrun "Export the keyring in ASCII form:"\ gpg --no-default-keyring --keyring gpg-offline.$$ --armor --export-options no-export-attributes,export-clean,export-minimal --export >${TEMP}keyring.$$ # Set locale to C for byte-to-byte reproducibility, but keep UTF-8 CTYPE to get international characters readable. - LC_ALL= LANG=C LC_CTYPE=en_US.UTF-8 vrun "List the human readable contents of the keyring:"\ + LC_ALL= LANG=C LC_CTYPE=en_US.UTF-8 vvrun "List the human readable contents of the keyring:"\ gpg --no-default-keyring --list-options show-unusable-uids,show-unusable-subkeys --keyring gpg-offline.$$ --list-keys | sed '1,/^--/d' >${TEMP}keyringdesc.$$ # Make sure that description is time independent. Convert "expired" to "expires". sed 's/ \[expired/ [expires/' <${TEMP}keyringdesc.$$ >${TEMP}keyringdesc.no-expired-string.$$ - vrun "Create new keyring and prepare spec:"\ - cat ${TEMP}keyringdesc.no-expired-string.$$ ${TEMP}keyring.$$ >>$3 + vvrun "Create new keyring and prepare spec:"\ + cat ${TEMP}keyringdesc.no-expired-string.$$ ${TEMP}keyring.$$ >$3 } # keyring_op: Add keys specified in the command line arguments. function keyring_op_add { TEMP_FILES="${TEMP}key.$$" for ID in "${ARGV[@]}" ; do - vrun "Extract minimal form of the key $ID in binary form:"\ + vvrun "Extract minimal form of the key $ID in binary form:"\ gpg --armor --export-options no-export-attributes,export-clean,export-minimal --export "$ID" >${TEMP}key.$$ - vrun "Import the new key to the temporary keyring:"\ + vvrun "Import the new key to the temporary keyring:"\ gpg --no-default-keyring --keyring gpg-offline.$$ --import <${TEMP}key.$$ done } function keyring_op_delete { TEMP_FILES="" - vrun "Delete specified keys from the temporary keyring:"\ + vvrun "Delete specified keys from the temporary keyring:"\ gpg --no-default-keyring --keyring gpg-offline.$$ --delete-keys "${ARGV[@]}" } @@ -147,21 +175,21 @@ TEMP_FILES="${TEMP}review.$$ ${TEMP}keyringdesc.no-expire-info.$$ ${TEMP}keyringdesc.extracted.no-expire-info.$$ ${TEMP}keyringdesc.extracted.$$" if ! $OPTARG_OFFLINE ; then - vrun "Refreshing keys from the key server:"\ + vvrun "Refreshing keys from the key server:"\ gpg --no-default-keyring --keyring gpg-offline.$$ --refresh-keys fi } function filespec_required { - if $OPTARG_PACKAGE ; then - if $OPTARG_DIRECTORY ; then - KEYRING="$OPTVAL_DIRECTORY/$OPTVAL_PACKAGE.keyring" - else - KEYRING="$OPTVAL_PACKAGE.keyring" - fi + if $OPTARG_FILE ; then + KEYRING="$OPTVAL_FILE" else - if $OPTARG_FILE ; then - KEYRING="$OPTVAL_FILE" + if $OPTARG_PACKAGE ; then + if $OPTARG_DIRECTORY ; then + KEYRING="$OPTVAL_DIRECTORY/$OPTVAL_PACKAGE.keyring" + else + KEYRING="$OPTVAL_PACKAGE.keyring" + fi else echo >&2 "$0: You must specify either --package or --file to use this command." exit 1 @@ -187,13 +215,13 @@ RC=$? if $SPEC_MODIFY ; then echo -e "\\nIf not yet done, please add following lines to $OPTVAL_PACKAGE.spec and submit:\\n" - echo "Source{#}: %{name}.keyring" + echo "Source2: %{name}.keyring" + echo "BuildRequires: gpg-offline" echo "" echo "And in %prep section:" echo "" echo "%gpg_verify %{S:1}" - echo " or" - echo "%gpg_verify -n keyring_name_without_suffix %{S:1}" + echo "" echo "(where %{S:1} is the signature)" echo " By submitting this change, you certify, that you verified, that the @@ -215,17 +243,22 @@ if $OPTARG_VERIFY ; then filespec_required keyring_required + temp_setup + TEMP_FILES="${TEMP}stderr.$$" + RC=0 rm -rf ~/.gnupg/gpg-offline.$$* - trap "rm -rf ~/.gnupg/gpg-offline.$$*" EXIT -# vrun "Import armored $KEYRING to the temporary keyring:"\ + # Enable once FIXME below will be fixed and disable temp_setup above. + #trap "rm -rf ~/.gnupg/gpg-offline.$$*" EXIT + vvrun "Import armored $KEYRING to the temporary keyring:"\ gpg --no-default-keyring --keyring gpg-offline.$$ --import <"$KEYRING" for SIGNATURE in "${ARGV[@]}" ; do - vrun "Verifying $SIGNATURE against the temporary keyring only:"\ - gpg --trust-model=always --keyserver-options=no-auto-key-retrieve --no-default-keyring --keyring=gpg-offline.$$ --verify "$SIGNATURE" 2>&1 | - # FIXME: Get rid this warning! - grep -v '^gpg: WARNING: Using untrusted key!$' >&2 + vvrun "Verifying $SIGNATURE against the temporary keyring only:"\ + gpg --trust-model=always --keyserver-options=no-auto-key-retrieve --no-default-keyring --keyring=gpg-offline.$$ --verify "$SIGNATURE" 2>${TEMP}stderr.$$ let RC+=$? + # FIXME: Get rid this warning! + # We have to use temporary file, otherwise return code gets lost. + grep -v '^gpg: WARNING: Using untrusted key!$' ${TEMP}stderr.$$ >&2 done if test $RC -gt 0 ; then exit 1 @@ -233,13 +266,16 @@ exit 0 fi -if test $OPTARG_REVIEW -o $OPTARG_REFRESH ; then +if test $OPTARG_REVIEW -o $OPTARG_REFRESH -o $OPTARG_LIST ; then + if $OPTARG_LIST ; then + OPTARG_OFFLINE=true + fi filespec_required keyring_required if $OPTARG_REFRESH ; then REVIEW="$KEYRING.new" else - TEMP=~/.gpg-upstream-keys/ + TEMP=~/.gpg-offline/ REVIEW=${TEMP}review.$$ fi temp_setup @@ -252,7 +288,9 @@ if $OPTARG_REFRESH ; then echo >&2 -e "$KEYRING is already up to date and needs no refresh." else - echo >&2 -e "$KEYRING is a valid armored GPG keyring and the human readable description corresponds to its contents." + if ! $OPTARG_LIST ; then + echo >&2 -e "$KEYRING is a valid armored GPG keyring\\nand the human readable description corresponds to its contents." + fi fi rm "$REVIEW" exit 0 @@ -264,9 +302,9 @@ if cmp -s ${TEMP}keyringdesc.extracted.no-expire-info.$$ ${TEMP}keyringdesc.no-expire-info.$$ ; then # It seems that the author only extended the signature validity or revoked. - echo >&2 -e "ERROR: $KEYRING is a valid armored GPG keyring and the human readable description corresponds to its contents, but there is a validity info update." + echo >&2 -e "ERROR: $KEYRING is a valid armored GPG keyring\\nand the human readable description corresponds to its contents,\\nbut there is a validity info update." else - echo >&2 -e "ERROR: $KEYRING is a valid armored GPG keyring, but the the human readable description does not correspond to its contents. It could be only a cosmetic change, but it may also indicate malicious keyring." + echo >&2 -e "ERROR: $KEYRING is a valid armored GPG keyring,\\nbut the the human readable description does not correspond to its contents.\\nIt could be only a cosmetic change, but it may also indicate malicious keyring." fi diff ${TEMP}keyringdesc.extracted.$$ ${TEMP}keyringdesc.no-expired-string.$$ @@ -274,7 +312,7 @@ # We do not force-perform this action. There may be race condition change of upstream keyring between --review and --refresh. echo >&2 -e "If you really want to accept these changes, please finish it by call:\\nmv $REVIEW $KEYRING" else - echo >&2 -e "If you are sure that it is OK, and you can perform keyring change, please call:\\n$0 -f $KEYRING --refresh\\nand then follow hints." + echo >&2 -e "If you are sure that it is OK, and you can perform keyring change,\\nplease call:\\n$0 -f $KEYRING --refresh\\nand then follow hints." fi # We always return 1 here. Offline tests should never have problem with revocation or key expiration change, # online tests should consider it as an error. ++++++ gpg-offline.macros ++++++ --- /var/tmp/diff_new_pack.haDSXt/_old 2012-11-30 12:21:10.000000000 +0100 +++ /var/tmp/diff_new_pack.haDSXt/_new 2012-11-30 12:21:10.000000000 +0100 @@ -13,9 +13,11 @@ # %gpg_verify %{S:1} # or # %gpg_verify -n keyring_name_without_suffix %{S:1} +# %gpg_verify -d directory_for_searching_of_the_keyring -n keyring_name_without_suffix %{S:1} +# %gpg_verify -f full_keyring_name_with_path %{S:1} # Note: %{S:1} is the signature, not the tarball. # -%gpg_verify(n:) \ -gpg-offline --directory=%{_sourcedir} --package="%{-n:%{-n*}}%{!-n:%{name}}" --verify %{**}\ +%gpg_verify(dnf) \ +gpg-offline --directory="%{-d:%{-d*}}%{!-d:%{_sourcedir}}" --package="%{-n:%{-n*}}%{!-n:%{name}}""%{-f: %{-f*}}" --verify %{**}\ %nil ++++++ gpg-offline.man.in ++++++ .TH gpg-offline "1" "November 2012" "GPG Offline" "GPG Offline Keyring Manipulation" .SH NAME gpg-offline \- trusted GPG offline keyring manipulation tool .SH SYNOPSIS .B gpg-offline \fI[OPTION]\fR \fI[ARGUMENT]\fR... Meaning of \fI[ARGUMENT]\fR depends on the mode of operations. .SH DESCRIPTION Offline gpg verification tool can verify signatures in ARGUMENT list and manipulate with selected signatures in offline keyrings. .PP Mandatory arguments to long options are mandatory for short options too. .TP \fB\-p\fR, \fB\-\-package\fR=\fIPACKAGE\fR specify the package (either \fB\-\-package\fR or \fB\-\-keyring\fR are mandatory) Tool will access file named .FN \fIPACKAGE\fR.keyring in the directory specified by \fB\-\-package\fR. .TP \fB\-\-directory\fR \fIDIR\fR specifies directory where .FN \fIPACKAGE\fR.keyring will be searched. .TP \fB\-f\fR, \fB\-\-keyring\fR=\fIFILE\fR specifies the keyring file. .IP Either \fB\-\-package\fR or \fB\-\-keyring\fR are mandatory. If you specify both, \fB\-\-keyring\fR takes precedence over \fB\-\-package\fR. .TP \fB\-a\fR, \fB\-\-add\fR \fIKEY_ID\fR... adds signing key(s) KEY_ID of upstream package for inclusion to the keyring file. If the file does not exist, it is created and needed lines are proposed for inclusion to \fIPACKAGE\fR.spec. .IP This command needs correctly configured gnupg and may need to contact keyring servers on Internet. .TP \fB\-d\fR, \fB\-\-delete\fR \fIKEY_ID\fR... removes signing key(s) KEY_ID of upstream package from the keyring file. .TP \fB\-c\fR, \fB\-\-verify\fR \fISIGNATURE\fR... verifies that the signature is valid. Signature is validated only against keys included in the keyring file. Any other keys are not accepted. .IP Verification is safe in offline environment without network access. .TP \fB\-c\fR, \fB\-\-review\fR reviews the keyring file: Checks that the human readable header corresponds to its contents. If \fB\-\-offline\fR is not specified, check online for keys updates. .TP \fB\-c\fR, \fB\-\-refresh\fR refreshes the keyring file: Update the human readable header according to its contents. If \fB\-\-offline\fR is not specified, check online for keys updates. .TP \fB\-v\fR, \fB\-\-offline\fR skips online checks in \fB\-\-review\fR and \fB\-\-refresh\fR. .TP \fB\-v\fR, \fB\-\-verbose\fR explains what is being done. Use twice to see even more. .TP \fB\-\-help\fR displays help and exits. .TP \fB\-\-version\fR outputs version information and exits. .PP The keyring file contains trusted keyring for particular package and contains keys that can be used for signing source tarballs of the package. Signature is considered as valid only if its signing key is part of trusted keyring for the package in question. .PP .B gpg-offline keyrings are standard armored GPG keyrings that contains text header that must exactly match to the keyring contents. .SH FILES @docdir@/PACKAGING.HOWTO Instructions for packagers. .SH AUTHOR Written by Stanislav Brabec, SUSE Linux .SH "REPORTING BUGS" Report bugs to sbrabec@suse.cz .SH COPYRIGHT Copyright \(co 2012 Stanislav Brabec, SUSE Linux .br License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>. .br This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. .SH "SEE ALSO" .BR gpg2 (1) -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org