[aur-general] checksums
Hi, Working only on my second AUR package, please bear with me. To verify integrity, the author does not provide checksums but only a gpg .asc file. What is the preferred way for me to proceed? The author is active and available so I can ask him to post a sha256 on his website; but I'm trying not to be too demanding, preferring to keep my requests on the subject of the application itself, e.g. features, etc. It's not a big deal but just wanted to check with the community here in case I am missing something. Thanks.
Hi, It's possible to calculate the checksums yourself. Just install the openssl package and then run the following: $ openssl sha256 filename.tar.gz (with filename.tar.gz being the name of the source tarball that you're using) Hope this helps On 4 October 2014 11:54, stef204 <stef204@yandex.com> wrote:
Hi, Working only on my second AUR package, please bear with me. To verify integrity, the author does not provide checksums but only a gpg .asc file. What is the preferred way for me to proceed? The author is active and available so I can ask him to post a sha256 on his website; but I'm trying not to be too demanding, preferring to keep my requests on the subject of the application itself, e.g. features, etc. It's not a big deal but just wanted to check with the community here in case I am missing something. Thanks.
On 04-10-2014 12:31, Charles Bos wrote:
Hi,
It's possible to calculate the checksums yourself. Just install the openssl package and then run the following:
$ openssl sha256 filename.tar.gz
(with filename.tar.gz being the name of the source tarball that you're using)
Hope this helps
On 4 October 2014 11:54, stef204 <stef204@yandex.com> wrote:
Hi, Working only on my second AUR package, please bear with me. To verify integrity, the author does not provide checksums but only a gpg .asc file. What is the preferred way for me to proceed? The author is active and available so I can ask him to post a sha256 on his website; but I'm trying not to be too demanding, preferring to keep my requests on the subject of the application itself, e.g. features, etc. It's not a big deal but just wanted to check with the community here in case I am missing something. Thanks.
Or just use sha256sum or md5sum, both provided by coreutils. -- Mauro Santos
On 4 Oct 2014 13:52, "Charles Bos" <charlesbos1@gmail.com> wrote:
Hi,
It's possible to calculate the checksums yourself. Just install the
openssl
package and then run the following:
$ openssl sha256 filename.tar.gz
(with filename.tar.gz being the name of the source tarball that you're using)
Hope this helps
Or just use sha256sum or md5sum. Not sure which package they live in, but I suspect they come with the base development packages. /M
On 4 October 2014 11:54, stef204 <stef204@yandex.com> wrote:
Hi, Working only on my second AUR package, please bear with me. To verify integrity, the author does not provide checksums but only a gpg .asc file. What is the preferred way for me to proceed? The author is active and available so I can ask him to post a sha256 on his website; but I'm trying not to be too demanding, preferring to keep my requests on the subject of the application itself, e.g. features, etc. It's not a big deal but just wanted to check with the community here in case I am missing something. Thanks.
04.10.2014, 05:52, "Charles Bos" <charlesbos1@gmail.com>:
Hi,
It's possible to calculate the checksums yourself. Just install the openssl package and then run the following:
$ openssl sha256 filename.tar.gz
(with filename.tar.gz being the name of the source tarball that you're using)
Hope this helps
Charles, obviously....I can also use sha256sum foo.tar.gz to get it..... IMHO, the point is to get it from the author/the source; it is _his_ checksum which is the reference, not the checksum of a file I have downloaded from his website; my file might be 'corrupt', etc.
Hi, Am 04.10.2014 um 12:54 schrieb stef204:
What is the preferred way for me to proceed?
Use GPG to verify the integrity of the download and calculate the checksum locally for yourself. Users of your package have to trust you anyway, as you can basically do anything to your package, anyway. Best regards, Karol Babioch
04.10.2014, 06:09, "Karol Babioch" <karol@babioch.de>:
Use GPG to verify the integrity of the download and calculate the checksum locally for yourself. Users of your package have to trust you anyway, as you can basically do anything to your package, anyway.
Best regards, Karol Babioch
OK, you have a point, understood. Tx. @ Charles Bos: ^^^ the logic I was missing. Tx.
Use GPG to verify the integrity of the download and calculate the checksum locally for yourself. Users of your package have to trust you anyway, as you can basically do anything to your package, anyway.
Best regards, Karol Babioch
OK, you have a point, understood.
For reference, a PGP signature is a hash of the file encrypted with the public key, so that people that have the public key can decrypt the hash and verify that the file they have is the one that upstream published. -- Sincerely, Johannes Löthberg PGP Key ID: 0x50FB9B273A9D0BB5 https://keybase.io/johannes
On 10/04/2014 12:54 PM, stef204 wrote:
To verify integrity, the author does not provide checksums but only a gpg .asc file. What is the preferred way for me to proceed?
If there wouldn't be any verification (neither hash nor signature) you would (most likely) have to trust the source on first contact (or talk to upstream). Luckily you are able to check the integrity with gpg like this: gpg --verify your-package-source.tar.gz.sig once you verified the integrity, you can simply calculate a hash locally of the self verified source via the sha*sum tools from coreutils [0] like this: sha512sum your-package-source.tar.gz If you want a even more convenient solution, you can also simply call 'updpkgsums' (after the gpg verification) in the current directory containing the PKGBUILD in question. This will update the existing hash in your PKGBUILD (but its recommended to check the gpg integrity before doing so). cd your-package-directory updpkgsums cheers Levente [0] https://www.archlinux.org/packages/core/x86_64/coreutils/files/
04.10.2014, 06:38, "Levente Polyak" <levente@leventepolyak.net>:
If you want a even more convenient solution, you can also simply call 'updpkgsums' (after the gpg verification) in the current directory containing the PKGBUILD in question. This will update the existing hash in your PKGBUILD (but its recommended to check the gpg integrity before doing so).
cd your-package-directory updpkgsums
Thanks Levente. All is clear on this issue.
On 04.10.2014 12:54, stef204 wrote:
To verify integrity, the author does not provide checksums but only a gpg .asc file.
Put the .asc file URL in the sources array and makepkg will verify it automatically. This only works if the base filenames are the same (foo.tar.gz and foo.tar.gz.asc), but that's likely the case anyway. You can use shell expansion like so: source=(http://example.com/foo.tar.gz{,.asc})
participants (8)
-
Charles Bos
-
Florian Pritz
-
Johannes Löthberg
-
Karol Babioch
-
Levente Polyak
-
Magnus Therning
-
Mauro Santos
-
stef204