On 2022-05-29 12:40:22 (+0200), kpcyrd wrote:
I blogged about a new tool that can be used to verify a tarball from a signed git tag, while still pinning the sourcecode with >= sha256sum:
https://vulns.xyz/2022/05/auth-tarball-from-git/
Let me know what you think - that's all,
Hi, in your article you are missing the commit pinning strategy, which should usually be used (admittedly a few of my packages also don't use that yet... :S) for scenarios where git based VCS sources are used and signed tags should be validated. According to how one can use VCS sources [1], it is possible to pin to a commit. This commit can be the signed tag object as retrieved by using git ls-remote [2]. There is no tooling in the context of our package tooling that allows for automating this (e.g. bump to new version, automatically retrieve the given commit checksum to pin), but it is a viable option to pin a given signed release by its commit checksum and have the `?signed` check as well, while continue using VCS sources. Best, David [1] https://man.archlinux.org/man/PKGBUILD.5#USING_VCS_SOURCES [2] https://man.archlinux.org/man/git-ls-remote.1 -- https://sleepmap.de