-
Notifications
You must be signed in to change notification settings - Fork 372
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
don't bypass the web of trust (#378) #379
Conversation
@Lightning-, maybe you could add this information to the README? I'd figure some people may run into issues and prefer the old way (for whatever reason). |
@tlimoncelli I'm trying to analyze why the test fails but somehow I'm a little bit lost in the mixture of go and bash (I'm not a golang guy but think I can read the code; maybe I made a mistake somewhere ...). Could you drop me a verbose/debug run of the check somehow? |
hmmm, actually this doesn't print all those |
@tlimoncelli I think we gotta fix several other things here first, because the current go-based test is not (no longer? gpg2 etc.) solid enough. This would be beneficial for my other upcoming patches as well.
|
the choice whether to use a web of trust and on which trust level is up to the user of PGP/GPG and must not be overriden by tools that are set on top users can decide to ignore this safety net by setting their gpg.conf adequately, defining an alias for `gpg --trust-model=always` or passing the env GPG to blackbox in this way but we should not override their preferences hardcoded
add note about the web of trust
assume that we have `--quick-generate-key` if we run gpg2 instead of doing a dry run for that (which has side effects that break the test)
a800a12
to
b623c14
Compare
@tlimoncelli can we try to proceed here? |
Thanks for the reminder. I was out for a bit. |
Thanks for tightening the security of Blackbox! |
the choice whether to use a web of trust and on which trust level is up to the user of PGP/GPG and must not be overriden by tools that are set on top
users can decide to ignore this safety net by setting their gpg.conf adequately, defining an alias for
gpg --trust-model=always
or passing the env GPG to blackbox in this way but we should not override their preferences hardcoded