[FEATURE REQUEST] Add parameters to limit gpg.verify to a set of explicit keys
#63166
Labels
Execution-Module
Feature
new functionality including changes to functionality and code refactors, etc.
needs-triage
Comments
lkubb
added
Feature
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
If my doctor advises me on the latest band I should listen to and my friends write me prescriptions, I might have a problem. I trust them both, but this trust depends on the scope.
aptrealized this when it deprecatedapt-key.I would like to be able to verify that a signature on a file is from the signer(s) I expect it to be from, not some rando whose key I imported years ago.
Describe the solution you'd like
Add
signed_by_any/signed_by_allparameters togpg.verify, which make sure that only signatures by keys with specified fingerprints result in final success.Describe alternatives you've considered
Using a separate keyring for each set of keys. This implies a separate gnupghome in Salt currently, since #59783 has not been implemented yet (coming).
The text was updated successfully, but these errors were encountered: