Open mpdude opened 4 years ago
The idea here would be to use extra.keybase-trusted-usernames
to create a
local keychain
On Sun, Dec 29, 2019, 22:17 Matthias Pigulla notifications@github.com wrote:
Currently this plugin requires that everybody on the team has all the necessary keys on their personal keychain.
I wonder if it would be a good decision to support a dedicated, per-project keychain (in vendor/composer?) that would be managed by the plugin.
So, maybe the root project could configure via extra sections in composer.json a vendor/* or vendor/package-to-KeyID(s) mapping?
At startup, this plugin would have to make sure all necessary keys are available or try to fetch them.
Then, when downloading, make sure we verify against the configured key(s) only.
That way,
- I don’t clutter my personal keychain with keys necessary for projects and don’t have to juggle with different keychains either.
- Everybody on the team will have the necessary keys without further ado
- The decision to trust a particular key would be traceable to the commit adding it
Cons:
Not everybody might agree which keys are trustworthy.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/Roave/composer-gpg-verify/issues/10?email_source=notifications&email_token=AABFVEGIBVL53MZBMDCTLCDQ3EHX5A5CNFSM4KBCUOD2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IDGIX5A, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABFVEAKOWDYRPSU2NV5R2TQ3EHX5ANCNFSM4KBCUODQ .
Currently this plugin requires that everybody on the team has all the necessary keys on their personal keychain.
I wonder if it would be a good decision to support a dedicated, per-project keychain (in
vendor/composer
?) that would be managed by the plugin.So, maybe the root project could configure via extra sections in
composer.json
avendor/*
orvendor/package
-to-KeyID(s) mapping?At startup, this plugin would have to make sure all necessary keys are available or try to fetch them.
Then, when downloading, make sure we verify against the configured key(s) only.
That way,
Cons:
Not everybody might agree which keys are trustworthy.