16 Dec
2016
16 Dec
'16
7:56 p.m.
So, I think this is done now. I had to fix a few other embarrassing mistakes (see https://github.com/eli-schwartz/pacman/tree/makepkg-git-verify ) but everything should work now. I've tested it on git and http sources, with and without signatures, and it consistently does the right thing (at last). I decided to check for the existence of git signed objects later rather than earlier. It is possible for e.g. a (weird) commit message to trigger a match with grep, so better to be explicit even if the flow is a bit odd. Too bad git doesn't have a way to dump a signature directly. -- Eli Schwartz