yoctoproject / bmaptool

BMAP Tools
GNU General Public License v2.0
25 stars 13 forks source link

Add --keyring and --fingerprint options #32

Open josch opened 3 months ago

josch commented 3 months ago

Building on the work of #1 and #31 it is possible to further refactor the gpg verification code and add additional verification mechanisms other than using the python gpgme binding. With these changes, it is possible to pass a gpg keyring to bmaptool. So now I can instruct consumers of my disk images to run this:

bmaptool copy --keyring=/usr/share/keyrings/debian-keyring.gpg http://disk.img /dev/sda

And they will have the assurance that whatever they download, extract and copy to their disk was signed by the same gpg keys as their Debian OS. For even more paranoid people there is the --fingerprint option which forces the bmap file to be signed by the given fingerprint.

What do you think?

josch commented 3 months ago

Should bmaptool error out if the user supplied the --keyring or --fingerprint options but then bmaptool did not manage to discover a gpg signature? I think doing so would be a sane default, agreed?