From 73a310ce49c91f0884d05a8d2cd8c96c3c5447d3 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sat, 20 May 2017 17:09:28 -0400 Subject: developer keyring verification * gpg keyrings in /usr/share/debug-me/ will be checked to see if a connecting person is a known developer of software installed on the system, and so implicitly trusted already. Software packages/projects can install keyrings to that location. (Thanks to Sean Whitton for the idea.) * make install will install /usr/share/debug-me/debug-me_developer.gpg, which contains the key of Joey Hess. (stack and cabal installs don't include this file because they typically don't install system-wide) * debug-me.cabal: Added dependency on time. This commit was sponsored by Francois Marier on Patreon. --- debug-me.1 | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'debug-me.1') diff --git a/debug-me.1 b/debug-me.1 index a0e108a..251e636 100644 --- a/debug-me.1 +++ b/debug-me.1 @@ -14,13 +14,16 @@ problem. Making your problem their problem gets it fixed fast. A debug-me session is logged and signed with the developer's GnuPG key, producing a chain of evidence of what they saw and what they did. So the developer's good reputation is leveraged to make debug-me secure. +If you trust a developer to ship software to your computer, +you can trust them to debug-me. .PP When you start debug-me without any options, it will connect to a debug-me server, and print out an url that you can give to the developer to get them connected to you. Then debug-me will show you their GnuPG key and who -has signed it. If the developer has a good reputation, you can proceed -to let them type into your console in a debug-me session. Once the -session is done, the debug-me server will email you the signed +has signed it, and will let you know if they are a known developer +of software on your computer. If the developer has a good reputation, you +can proceed to let them type into your console in a debug-me session. Once +the session is done, the debug-me server will email you the signed evidence of what the developer did in the session. .PP It's a good idea to watch the debug-me session. The developer should be @@ -101,6 +104,10 @@ exits. .IP "~/.debug-me/log/remote/" When using debug-me to connect to a remote session, the session will be logged to here. +.UP "/usr/share/debug-me/keyring/*.gpg" +When verifying a developer's gpg key, debug-me checks if it's listed in +the keyrings in this directory, which can be provided by software installed +on the computer. .SH SEE ALSO .PP -- cgit v1.2.3