GNOME Bugzilla – Bug 757524
GPG docs suggest to keep private keys on a device.
Last modified: 2015-11-08 02:29:28 UTC
From "man ostree": "GPG VERIFICATION OSTree supports signing commits with GPG. The set of trusted keys is stored as keyring files in /usr/share/ostree/trusted.gpg.d. *Any key in any keyring in that directory may be used to sign commits.*" GPG docs suggest to keep private keys on a device. This sounds like a bad idea, since private key should be kept private. To verify a signature of updates on a device it is sufficient to keep only the pubring.gpg in /usr/share/ostree/trusted.gpg.d on a device. The confusing line is: "*Any key in any keyring in that directory may be used to sign commits.*" It doesn't really matter where you keep the key on the server when signing the commits.
Ok, I tried to reword this in: https://git.gnome.org/browse/ostree/commit/?id=efdb4d8f443768e59529c299290bee8b1f8f93c3
Should it mention something about importing keys for a particular remote? I thought we had deprecated the global /usr/share/ostree/trusted.gpg.d location.