Le 29/05/2022 à 19:58, David Runge a écrit :
On 2022-05-29 12:40:22 (+0200), kpcyrd wrote:
I blogged about a new tool that can be used to verify a tarball from a signed git tag, while still pinning the sourcecode with >= sha256sum:
https://vulns.xyz/2022/05/auth-tarball-from-git/
Let me know what you think - that's all, Hi,
in your article you are missing the commit pinning strategy, which should usually be used (admittedly a few of my packages also don't use that yet... :S) for scenarios where git based VCS sources are used and signed tags should be validated.
According to how one can use VCS sources [1], it is possible to pin to a commit. This commit can be the signed tag object as retrieved by using git ls-remote [2]. There is no tooling in the context of our package tooling that allows for automating this (e.g. bump to new version, automatically retrieve the given commit checksum to pin), but it is a viable option to pin a given signed release by its commit checksum and have the `?signed` check as well, while continue using VCS sources.
I would even argue that if someone wants to spend time on developing some helper tool, I would rather see an updpkgsums-like one that retrieves the commit or tag hash from the pkgver and source url and update the _commit or _tag variable in the PKGBUILD. ;) Regards, Bruno/Archange