Using PGP keys to sign documents, helpful for needauth converters?

Richard Kimberly Heck rikiheck at lyx.org
Sat Aug 1 06:38:11 UTC 2020


On 7/9/20 12:07 AM, Richard Kimberly Heck wrote:
> On 7/7/20 4:39 AM, Pavel Sanda wrote:
>> On Mon, Jul 06, 2020 at 02:30:57PM -0400, Richard Kimberly Heck wrote:
>>> Could we use the private key to put some kind of signature into the
>>> header, along with an indication of what key is needed to verify it?
>> We could just store in the header ascii-armorized signature from pgp
>> of the .lyx file (without this section) and perhaps store fingerprint
>> which would help with importing the public key of person who signed it.
>>
>> We should be however cautious whether we would automatize key
>> retrieval - I would let the user handle the key retieval business
>> on his own. There old keyservers are half-way broken method nowadays
>> and many projects use different ways of distributing keys.
> Yes, I was thinking NOT to automate that. People would need to import
> keys manually if they wanted to do that. We could pop some kind of
> message about what key needed importing. The idea here is just to make
> it possible to mark documents as "safe", not to make it easy to mark
> them as "safe". (I'm imagining some exploit that makes LyX import the
> key of the attacker....)

PING.

Just wondering if anyone is interested in pursuing this further. It's
not a feature I use, but I could possibly be convinced to work on it for
2.4.0 if it seemed important.

Riki




More information about the lyx-devel mailing list