On Fri, 16 Dec 2016 14:52:20 -0500 Eli Schwartz <eschwartz93@gmail.com> wrote: (...)
Well, Firefox upstream for one supplies sha512sums in a signed file.[1] So this could in theory be used.
The problem is that you can copy the checksums into the PKGBUILD and PGP-verify the checksum file, but unless you seriously reorganize makepkg's verification logic you cannot download the checksum file, PGP-verify it and *then* check the other files based on the checksum file. And I don't think anyone else strongly cares about doing that, but maybe if you provided a patch it would be accepted?
Well, for the record there is a patch[1] for doing just that (and a bit more) actually. Because indeed a few upstreams do not provide signatures of the source code directly, but either detached sig of a checksum file, or checksums as a signed message. The patch in question handles both cases. And as it happens, it will work with firefox upstream, amongst others. (Though not with the .dsc files from Debian mentionned in this thread.) Cheers, [1] https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html