Using PGP keys to sign documents, helpful for needauth converters?

Richard Kimberly Heck rikiheck at lyx.org
Thu Jul 9 04:07:38 UTC 2020


On 7/7/20 4:39 AM, Pavel Sanda wrote:
> On Mon, Jul 06, 2020 at 02:30:57PM -0400, Richard Kimberly Heck wrote:
>> Could we use the private key to put some kind of signature into the
>> header, along with an indication of what key is needed to verify it?
> We could just store in the header ascii-armorized signature from pgp
> of the .lyx file (without this section) and perhaps store fingerprint
> which would help with importing the public key of person who signed it.
>
> We should be however cautious whether we would automatize key
> retrieval - I would let the user handle the key retieval business
> on his own. There old keyservers are half-way broken method nowadays
> and many projects use different ways of distributing keys.

Yes, I was thinking NOT to automate that. People would need to import
keys manually if they wanted to do that. We could pop some kind of
message about what key needed importing. The idea here is just to make
it possible to mark documents as "safe", not to make it easy to mark
them as "safe". (I'm imagining some exploit that makes LyX import the
key of the attacker....)

Riki




More information about the lyx-devel mailing list