From d9a334950bcaded268d60511fe23f386bebf0276 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Thu, 14 Apr 2016 11:05:22 -0400 Subject: [PATCH] man: Elaborate on per-remote GPG Closes: #258 Approved by: alexlarsson --- man/ostree.repo-config.xml | 9 +++++++++ man/ostree.xml | 24 ++++++++++++++++++------ 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/man/ostree.repo-config.xml b/man/ostree.repo-config.xml index c77ccc6e..0c421ba4 100644 --- a/man/ostree.repo-config.xml +++ b/man/ostree.repo-config.xml @@ -195,6 +195,15 @@ Boston, MA 02111-1307, USA. ignored. + + + Per-remote GPG keyrings and verification + + OSTree supports a per-remote GPG keyring. For more information see + ostree1. + in the section GPG verification. + + See Also diff --git a/man/ostree.xml b/man/ostree.xml index 161ef0bc..80b0b0c1 100644 --- a/man/ostree.xml +++ b/man/ostree.xml @@ -425,13 +425,25 @@ Boston, MA 02111-1307, USA. GPG verification - OSTree supports signing commits with GPG. The set of - trusted public keys is stored as keyring files in - /usr/share/ostree/trusted.gpg.d. Any - public key in a keyring file in that directory will be - trusted by the client. No private keys should be present - in this directory. + OSTree supports signing commits with GPG. Operations on the system + repository by default use keyring files in + /usr/share/ostree/trusted.gpg.d. Any + public key in a keyring file in that directory will be + trusted by the client. No private keys should be present + in this directory. + + In addition to the system repository, OSTree supports a + per-remote + remotename.trustedkeys.gpg + file stored in the toplevel of the repository (alongside + objects/ and such). This is + particularly useful when downloading content that may not + be fully trusted (e.g. you want to inspect it but not + deploy it as an OS), or use it for containers. This file + is written via ostree remote add + --gpg-import. +