On 05/01/15 12:28 PM, Leonid Isaev wrote:
On Mon, Jan 05, 2015 at 10:16:10AM +0100, Christian Hesse wrote:
I do not think we need HTTPS, though it does not hurt. If anybody tries to fool us with man-in-the-middle via HTTP we should detect that just fine with broken signatures (given signatures are provided...).
Appending .sign may help as well. In fact for an example file archive.tar.xz we may want to check for {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign}
$ export FILE=archive.tar.xz $ echo {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign} archive.tar.xz.asc archive.tar.xz.sig archive.tar.xz.sign archive.tar.asc archive.tar.sig archive.tar.sign
Does makepkg(8) know how to check sigs of .tar files as opposed to .tar.xz?
Yes, it learned how to do that in the most recent release.