Update 1password-cli: add gpg stanza #38398
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commitay
reviewed
Sep 8, 2017
Casks/1password-cli.rb
Outdated
| @@ -8,6 +8,7 @@ | |||
| checkpoint: 'a0c73938742c33399b0d408dac38e5aaa23a56e8a76ba0603876398f7cc38ccb' | |||
| name '1Password CLI' | |||
| homepage 'https://support.1password.com/command-line/' | |||
| gpg "op.sig", key_id: '3fef9748469adbe15da7ca80ac2d62742012ea22' | |||
There was a problem hiding this comment.
'op.sig'
Should we use key_url and check https://keybase.io/1password/pgp_keys.asc?
There was a problem hiding this comment.
Sounds reasonable. I have changed the stanza to use key_url.
commitay
added
the
awaiting maintainer feedback
|
Thanks @commitay for the pointer – I didn’t know that Not on a Mac right now; going to check it out as soon as I am. |
Even though we’re not quite there yet regarding GPG support (cf. issue #5971 and PR Homebrew/brew#1335), I’d still prefer for new casks to have `gpg` stanzas where detached signatures are available (cf. PR #6185). For details on the authenticity of the public key, see: - https://support.1password.com/command-line-getting-started/#set-up-the-command-line-tool - https://keybase.io/1password
commitay
removed
the
awaiting maintainer feedback
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Even though we’re not quite there yet regarding GPG support (cf. issue #5971 and PR Homebrew/brew#1335), I’d still prefer for new casks to have
gpgstanzas where detached signatures are available (cf. PR #6185).To double-check the GnuPG public keyUpdate This PR no longer includes the fingerprint of the public key (3fef9748469adbe15da7ca80ac2d62742012ea22used in this commit, please see:key_id); instead, the stanza now points to the public key as is on keybase.io (key_url, thanks @commitay for the suggestion). Once the validation feature is implemented, the stanza is supposed to download the GnuPG public key from keybase.io. I have no opinion as to whetherkey_idorkey_urlis more secure; however, I feelkey_urlmakes it easier to review the Cask definition, and maintainer convenience benefits security.For more details on the authenticity of the public key, see:
https://support.1password.com/command-line-getting-started/#set-up-the-command-line-tool
https://keybase.io/1password
After making all changes to the cask:
brew cask audit --download {{cask_file}}is error-free.brew cask style --fix {{cask_file}}reports no offenses.Explanation: No change in version, just adding a stanza.
Additionally, if updating a cask:
sha256changed butversionstayed the same (what is this?).I’m providing public confirmation below.
Explanation: No change in
sha256.Additionally, if adding a new cask:
brew cask install {{cask_file}}worked successfully.brew cask uninstall {{cask_file}}worked successfully.Explanation: No cask(s) added.