how to verify gpg-signed commits

John A Meinel john at arbash-meinel.com
Wed May 10 17:45:44 BST 2006 

James Henstridge wrote:
> On 7/5/06, John Arbash Meinel <john at arbash-meinel.com> wrote:
>> I have a plugin available from here:
>> http://bzr.arbash-meinel.com/plugins/bzr/signing/
>>
>> It provides the command 'bzr verify-sigs', which will run 'gpg --verify'
>> for every signature found.
>>
>> The reason it isn't in bzr core, is that we really wanted to do the
>> verification properly, using something like 'libgpgme'. This was just my
>> quick hack to allow some integrity checking.
> 
> If you want to use gpgme, you might want to try my pygpgme wrapper:
> 
>    http://cheeseshop.python.org/pypi/pygpgme
> 
> It should make it easy to properly verify signatures, get information
> about signing keys (e.g. what uids are attached to the key), tell you
> whether the user trusts the signature or not, etc.
> 
> When using it to verify clearsigned content, it will also give you the
> plaintext that was signed which should be useful for verifying that
> the signed content matches the testament.

I did end up finding your branch at:
http://www.gnome.org/~jamesh/bzr/pygpgme

Launchpad could make it a little bit more obvious, but I found it.

Anyway, I tried installing using 'easy_install' on my Mac OSX laptop,
but it didn't like the fact that the include and lib files are in
/opt/local/lib/ and /opt/local/include (from darwinports).

By downloading -0.1.tar.gz manually, and using
CFLAGS='-I/opt/local/include -L/opt/local/lib' python setup.py build

I could get it to build and install, but then it couldn't find _pth_*.
So I edited setup.py to use gpgme_pth, and I could then import gpgme.

However, when I go to actually run, I get a BUS_ERROR on my Mac.

So then I ssh'd to my Fedora Core machine, and used easy_install. It
installed fine, but when I run test_all.py I get 2 errors and a
segmentation fault.

I tried your dev code, and I still get a FAIL and a segmentation fault.
(Though I only get 1 failure).

Are you expecting a specific gpgme version? I'm not sure what platforms
you've tested it on. I did try your latest dev code on a Dapper machine,
and all 53 tests pass.

I'm happy to provide a little bit of feedback and bug reports. Also, it
would seem that there isn't a lot of documentation. You mention that you
follow the C api, are you assuming that is the documentation to use?

John
=:->


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20060510/6adc933f/attachment.pgp

More information about the bazaar mailing list