Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add gpg stanza to compatible casks #6185

Merged
merged 21 commits into from
Oct 7, 2014
Merged

Add gpg stanza to compatible casks #6185

merged 21 commits into from
Oct 7, 2014

Conversation

tapeinosyne
Copy link
Contributor

Add gpg stanza to casks for which keys and detached signatures are available. Feel free to add entries to the list.

Known compatible:

  • cryptol
  • electrum
  • electrum-ltc
  • espionage
  • git-annex
  • gpgtools
  • horndis
  • jameica
  • libreoffice
  • linphone
  • litecoin
  • lyx
  • macports
  • multibit
  • mumble
  • mysqlworkbench
  • onionshare
  • pgadmin3
  • ricochet
  • torbrowser
  • vlc
  • armory — no detached signature
  • bitcoin — no detached signature
  • wireshark — no detached signature

@tapeinosyne tapeinosyne mentioned this pull request Sep 14, 2014
Closed
9 tasks
@fanquake
Copy link
Contributor

@ndr-qef I'm adding more casks to your compatible list above.

@rolandwalker rolandwalker changed the title Add gpg stanza to compatible casks WIP Add gpg stanza to compatible casks Sep 15, 2014
@tapeinosyne
Copy link
Contributor Author

@fanquake, thanks. Unfortunately, armory and bitcoin only offer signed hashes, which we cannot verify automatically—at least, not without parsing stdout.

@vitorgalvao, I would like your opinion on cask layout. What should be the canonical position of the gpg stanza?

Something to consider is that many signatures are found at urls which equal their package's, plus .asc or .sig. Moving gpg after url would allow us to interpolate the latter. The gain in clarity is particularly evident with long urls, such as those found in the libreoffice cask.

E.g. gpg before url:

gpg 'https://example.com/package.dmg.asc'
    :key_id '…'

url 'https://example.com/package.dmg'

gpg after url:

url 'https://example.com/package.dmg'
gpg "#{url}.asc"
    :key_id '…'

@vitorgalvao
Copy link
Member

Moving gpg after url would allow us to interpolate the latter.

That also sounds like the best option, to me. We already put appcast in that section as well, so it seems like a good place to make the addition; having all of the “url-related” stanzas in a block makes sense. Having url as the first option is both convenient and clear, so I say we go with your suggestion.

@tapeinosyne
Copy link
Contributor Author

12 casks of varying key type should suffice for a start. Once Travis passes, I will mark this PR as ready.

@fanquake
Copy link
Contributor

@ndr-qef Ah I see.

Also agree with your layout suggestion

@tapeinosyne
Copy link
Contributor Author

I crawled the most predictable urls for gpg signatures, obtaining 8 new candidates. This PR now includes all gpg signatures which can be reasonably autodiscovered.

Casual statistic: approximately 1% of our casks offer gpg verification.

@tapeinosyne tapeinosyne changed the title WIP Add gpg stanza to compatible casks Add gpg stanza to compatible casks Sep 16, 2014
tapeinosyne pushed a commit that referenced this pull request Oct 7, 2014
Merge pull request #6185 from ndr-qef/gpg-compatible-casks
67b1f17 
Add gpg stanza to compatible casks
@tapeinosyne tapeinosyne merged commit 67b1f17 into Homebrew:master Oct 7, 2014
@tapeinosyne tapeinosyne deleted the gpg-compatible-casks branch October 7, 2014 22:46
@claui claui mentioned this pull request Sep 8, 2017
Merged
10 tasks
commitay pushed a commit that referenced this pull request Sep 20, 2017
@claui @commitay
Update 1password-cli: add gpg stanza (#38398)
fc01fd6 
Even though we’re not quite there yet regarding GPG support (cf.
issue #5971 and PR Homebrew/brew#1335), I’d
still prefer for new casks to have `gpg` stanzas where detached
signatures are available (cf. PR #6185).

For details on the authenticity of the public key, see:

- https://support.1password.com/command-line-getting-started/#set-up-the-command-line-tool

- https://keybase.io/1password
@Homebrew Homebrew locked and limited conversation to collaborators May 8, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tapeinosyne @fanquake @vitorgalvao