On Mon, Jan 05, 2015 at 10:16:10AM +0100, Christian Hesse wrote:
I do not think we need HTTPS, though it does not hurt. If anybody tries to fool us with man-in-the-middle via HTTP we should detect that just fine with broken signatures (given signatures are provided...).
Appending .sign may help as well. In fact for an example file archive.tar.xz we may want to check for {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign}
$ export FILE=archive.tar.xz $ echo {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign} archive.tar.xz.asc archive.tar.xz.sig archive.tar.xz.sign archive.tar.asc archive.tar.sig archive.tar.sign
Does makepkg(8) know how to check sigs of .tar files as opposed to .tar.xz? Cheers, -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D