[Pkg-rust-maintainers] Bug#1031019: sqop verify underdocumented, seems to expect to be verified file on stdin
Daniel Kahn Gillmor
dkg at debian.org
Sun Jul 21 22:10:17 BST 2024
Hi Andreas--
On Fri 2023-02-10 15:31:27 +0100, Andreas Metzler wrote:
> According to both manpage and "sqop help verify" sqop verify accepts
> exactly to args (sig and cert) plus two options
> (--not-after/--not-before).
>
> However this command simply hangs:
> sqop verify gnutls28_3.7.8.orig.tar.xz.asc gnutls-3.7.8/debian/upstream/signing-key.asc
>
> Reading #969590 I found that the to-be verified tarball needs to be
> passed as third arg on stdin.
Technically this isn't a third argument, it's just stdin. sqop
implements the standard Stateless OpenPGP Command Line Interface, which
is found at
https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/
Hopefully that documentation is clearer than the manpages shipped with
sqop.
This crate should really create more up-to-date manpages during build,
and the manpages should describe the expectations for stdin/stdout more
clearly. i think that's at least in part an upstream concern:
https://gitlab.com/sequoia-pgp/sequoia-sop/-/issues/33
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 324 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-rust-maintainers/attachments/20240721/96aac87c/attachment-0001.sig>
More information about the Pkg-rust-maintainers
mailing list