CVS commit: src/usr.bin/nbsvtool

To: tech-userlevel%NetBSD.org@localhost
Subject: CVS commit: src/usr.bin/nbsvtool
From: Dieter Baron <dillo%danbala.tuwien.ac.at@localhost>
Date: Tue, 15 Jul 2008 01:14:20 +0200

In article <20080714202542.GA5840%britannica.bec.de@localhost> Joerg wrote:
: On Mon, Jul 14, 2008 at 10:10:27PM +0200, Dieter Baron wrote:
: > In article <20080714191059.GA5088%britannica.bec.de@localhost> Joerg wrote:
: > : On Mon, Jul 14, 2008 at 08:55:45PM +0200, Dieter Baron wrote:
: > : > attached is an updated version of the man page, please review.
: > 
: > : I'm considering to add a second argument for the sign command and
: > : default to ${file}.sp7 otherwise. That would be consistent with verify.
: > : Opinions?
: > 
: >   I would rahter specify the signature file as an option (-o or -s),
: > for both sign and verify.  That way, we could specify more than one
: > file to sign/verify (with the default signature file name).

: For verify you can already do that. The second argument is optional.
: The question is if sign should behave the same :)

  Ahem, the code disagrees with you.  You can not verify more than one
file with one invocation of nbvstool.

  What I'm suggesting allows this:

$ nbsvtool -a anchor verify file1 file2
# verify file1 against signature file1.ps7
# and verify file2 against signature file2.ps7

and the same for signing.  (While this might be of questionable value
for verify, it would be convenient when trying to sign a bunch of
files.)

: > : >   - What is trusted if no trust anchor is given?
: > 
: > : Nothing.
: > 
: >   So is there any way for verify to succeed without a trust anchor?

: That is right.

: > Otherwise, -a is required for verify to make sense (and that should be
: > noted in the man page, and probably enforced by the code).

: Well, in the longer term we should have a default trust anchor. I did
: not include that part from the original code from Love as needs a
: decision where it should be, it needs care to not be changed randomly
: etc. I think documenting it as such in the man page is the best approach
: for now.

  Okay, what about this:

.Sh CAVEATS
.Pp
As there is currently no default trust anchor, you must explicilty
specify one with
.Ar Fl a ,
otherwise every verification will fail.

                                        yours,
                                        dillo

Prev by Date: Re: /bin/sh tilde expansion
Next by Date: Re: CVS commit: src/usr.bin/nbsvtool
Previous by Thread: Re: CVS commit: src/usr.bin/nbsvtool
Next by Thread: Re: CVS commit: src/usr.bin/nbsvtool
Indexes:

Home | Main Index | Thread Index | Old Index