diff options
author | Joey Hess <joeyh@joeyh.name> | 2017-05-20 17:09:28 -0400 |
---|---|---|
committer | Joey Hess <joeyh@joeyh.name> | 2017-05-20 17:21:08 -0400 |
commit | 73a310ce49c91f0884d05a8d2cd8c96c3c5447d3 (patch) | |
tree | 1d7489b13e5ae950a849508857111966e538625e /debug-me.1 | |
parent | 34b0151e125a6698f57ea476ccfa922c6275edf1 (diff) | |
download | debug-me-73a310ce49c91f0884d05a8d2cd8c96c3c5447d3.tar.gz |
developer keyring verification
* gpg keyrings in /usr/share/debug-me/ will be checked
to see if a connecting person is a known developer of software
installed on the system, and so implicitly trusted already.
Software packages/projects can install keyrings to that location.
(Thanks to Sean Whitton for the idea.)
* make install will install /usr/share/debug-me/debug-me_developer.gpg,
which contains the key of Joey Hess. (stack and cabal installs don't
include this file because they typically don't install system-wide)
* debug-me.cabal: Added dependency on time.
This commit was sponsored by Francois Marier on Patreon.
Diffstat (limited to 'debug-me.1')
-rw-r--r-- | debug-me.1 | 13 |
1 files changed, 10 insertions, 3 deletions
@@ -14,13 +14,16 @@ problem. Making your problem their problem gets it fixed fast. A debug-me session is logged and signed with the developer's GnuPG key, producing a chain of evidence of what they saw and what they did. So the developer's good reputation is leveraged to make debug-me secure. +If you trust a developer to ship software to your computer, +you can trust them to debug-me. .PP When you start debug-me without any options, it will connect to a debug-me server, and print out an url that you can give to the developer to get them connected to you. Then debug-me will show you their GnuPG key and who -has signed it. If the developer has a good reputation, you can proceed -to let them type into your console in a debug-me session. Once the -session is done, the debug-me server will email you the signed +has signed it, and will let you know if they are a known developer +of software on your computer. If the developer has a good reputation, you +can proceed to let them type into your console in a debug-me session. Once +the session is done, the debug-me server will email you the signed evidence of what the developer did in the session. .PP It's a good idea to watch the debug-me session. The developer should be @@ -101,6 +104,10 @@ exits. .IP "~/.debug-me/log/remote/" When using debug-me to connect to a remote session, the session will be logged to here. +.UP "/usr/share/debug-me/keyring/*.gpg" +When verifying a developer's gpg key, debug-me checks if it's listed in +the keyrings in this directory, which can be provided by software installed +on the computer. .SH SEE ALSO <https://debug-me.branchable.com/> .PP |