Stop makepkg from running gpg on .sig files
Hello, apparently makepkg automatically attempts to verify .sig files in the SOURCES array with gpg. Can I somehow stop this behaviour? I have .sig URLs but these aren't GPG signatures, but SSH signatures I'd like to validate in a custom verify() function. Currently, I'm working around this by renaming the upstream .sig files to .sigssh in SOURCES, but that's rather inconvenient. Cheers, Basti
Basti, Have you tried renaming the file? e.g. source=('package_sig.txt::http://wherever/package.sig') -- Edward
Please do read my original message: that is precisely what I am doing now, and what I'd like to avoid 🙂️
My bad, sorry! Out of curiosity, I checked the source code for makepkg, and it looks like the only other way is to use the --skippgpcheck flag. (Curiously, the test for signature files checks the entire URL, not just the path name, so if you add a question mark to the URL, this also bypasses the signature check -- not that I would recommend doing that, of course). -- Edward
No worries. Thanks a lot for checking. I like the idea of adding a question mark as a creative hack, but I think I'll stick with renaming the files. 😅️ Thanks for your help <3
participants (2)
-
Edward Toroshchyn
-
Sebastian Wiesner