On 12/07/16 at 09:00pm, Eli Schwartz wrote:
On 12/07/2016 03:48 PM, Jelle van der Waa wrote:
* git url, but no #tag= or #commit= specified, should verify HEAD on the #branch or no tag, commit, branch case.
I imagine that should be handled just like #commit= using verify-commit HEAD, why does it need to be special-cased?
Well with #commit you specify a certain commit, so I would say you want to verify that commit.
* Not parsing or tested invalid signed tags, not sure how git verify-tag displays errors so that needs more work.
Non-signed tags return an "error: no signature found", non-signed commits just return an error.
Yup, but what about other LOCALE's? Guess it needs a LOCALE=C git..
* I would like to move the git verification into source/git.sh.in and then re-use the code which extracts #branch, #commit etc. It would also reduce the clutter in verify_signature.sh.in. Another idea is to move the verification into integrity/verify_git.sh.in.
Or extract the logic into a new function and reuse it in integrity/
* Changing the directory is cumbersome. git offers git -C $path verify-tag $tag to resolve that. * Multiple sources, .tar.gz{,asc} and a git one. (Rare but should be handled) Or multiple git sources.
Or put another way, how should a PKGBUILD declare that git GPG verification is demanded, for that particular source?
I'd say if it has validpgpkeys=('234234') we verify the git tag. Which would require extracting the VALIDGSIG 23423 from git verify-tag --raw v12.
I have something similar-ish, but probably a lot uglier :p here: https://github.com/eli-schwartz/pacman/commit/edde351d919a5baf8c31764c5cfe9e...
Hmm looks less ugly somehow though ;-) -- Jelle van der Waa