I discovered last night that gpg has an alternate output mode which is intended to be
Sun, 21 Sep 2003 02:40:52 +0000
I discovered last night that gpg has an alternate output mode which is intended to be machine-parseable, so I've just committed some exciting new breakage to SBCL's asdf-install contrib to make it a bit smarter about checking GPG signatures. It now attempts to check signatures for all packages no matter where they've come from, but there are restarts to bypass most of the checks.
A package may
- have no gpg signature at all
- be signed by a gpg key you don't have on your keyring
- be signed by a key on your keyring but which you don't have a trust relationship with (i.e. nobody you know has signed it)
- be signed by a trusted key, but not be on the list of package suppliers (after all, just because you trust someone is who they say they are, you might not want to install their lisp software)
The first two of these are presently terminal errors, the third can be ignored, and the fourth has a restart that lets you add the packager to your package supplier list. The package supplier list is stored between sessions in ~/.sbcl/trusted-uids.lisp
This is an incompatible change: cue evil laughter.