Skip to content

Enforce sane gpg options

gpg run by signature.py is subject to the options set in user's gpg.conf. Some of them may be undesirable and should overridden with the command line options.

Potential command line options to add:

  • --no-armor: ensures gpg creates a .sig file instead of .asc in case gpg.conf has armor.
  • --no-include-key-block: ensures the signature file doesn't contain an embedded public key. Protects against a situation when the verifying use has auto-key-import in gpg.conf as it's important that the public key retrieved from another place instead of the signature itself.
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information