Date: Sat, 05 Sep 2015 14:39:48 -0400 From: jvarner@gmail.com To: ctm-users@freebsd.org Cc: Peter Wemm <peter@wemm.org> Subject: Re: Future of CTM Message-ID: <201509051839.t85IdmIJ047044@eden.local>
next in thread | raw e-mail | index | archive | help
(apologies for not replying to previous emails; just subscribed to
the list...)
Peter Wemm wrote:
> I have been trying to find an example of somebody who is actually
> verifying signatures before piping the messages to ctm_rmail.
I am such an example. The following recipe is the one I use (I
use nmh, so for most people the pipe to rcvstore should be
replaced with a simple mailbox or maildir delivery):
:0
* ^X-BeenThere: ctm-ports-cur@freebsd.org
{
:0 c: ${MAILDIR}/ctm-ports.${LOCKEXT}
| rcvstore +ctm-ports -nounseen
:0 c
| gpg --no-default-keyring --keyring ${PMDIR}/ctm.key --verify
:0 a
| ctm_rmail -p ${HOME}/ctms/ports/pieces -d ${HOME}/ctms/ports/del=
tas -l ${PMDIR}/ctm.log
}
Where ctm.key was produced by importing and exporting the ascii
armored key from the mailman info page. I did check to confirm
that modifying a signed CTM message will prevent ctm_rmail from
running (gpg exits with an status of 2, which prevents the 'a'
recipe from running). I did not check to confirm that a
mis-signed message would not verify, but my presumption is that
the combination of --no-default-keyring and --keyring should
prevent that verification from working since the only key in the
specified keyring is the CTM signing key.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201509051839.t85IdmIJ047044>