Le 16/12/2016 à 21:40, Olivier Brunel a écrit :
On Fri, 16 Dec 2016 14:52:20 -0500 Eli Schwartz <eschwartz93@gmail.com> wrote:
(...)
Well, Firefox upstream for one supplies sha512sums in a signed file.[1] So this could in theory be used.
The problem is that you can copy the checksums into the PKGBUILD and PGP-verify the checksum file, but unless you seriously reorganize makepkg's verification logic you cannot download the checksum file, PGP-verify it and *then* check the other files based on the checksum file. And I don't think anyone else strongly cares about doing that, but maybe if you provided a patch it would be accepted? Well, for the record there is a patch[1] for doing just that (and a bit more) actually. Because indeed a few upstreams do not provide signatures of the source code directly, but either detached sig of a checksum file, or checksums as a signed message. The patch in question handles both cases.
And as it happens, it will work with firefox upstream, amongst others. (Though not with the .dsc files from Debian mentionned in this thread.)
Cheers,
[1] https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html
Interesting (for my part, I was definitively not subscribed to that list at that point). Actually, this patch does much more than I ask for (and a bit less also in a certain way), since I definitively don’t want makepkg to try to be clever about the signed sha*sum file content. So to sum up my point of view, all that would be needed is: 1) Be able to run whatever grep or the like command on any file from the source array in the sha*sum array (that currently does work if the file was already present locally, but not if it had to be downloaded). 2) Make makepkg verify inline PGP signed message. I acknowledge having not enough ease regarding makepkg source code to provide a patch for that any time soon, but whether such a thing would be a good idea or accepted would already be a first step. Regards, Bruno