On 12/07/2016 03:48 PM, Jelle van der Waa wrote:
I would like to work on verifying git signed tags. So far I've actually managed to hack it into makepkg, but by missing a lot of edge cases and well writing an ugly implementation. [1] Some of this work has been borrowed from the systemd PKGBUILD. [2]
This is something I want to see also.
Of course the hacks I've put in there are never going to be accepted even if I bribe Allan with a case of bourbon.
I can think of the following issues, edge-cases which need to be handled:
* git url, but no #tag= or #commit= specified, should verify HEAD on the #branch or no tag, commit, branch case.
I imagine that should be handled just like #commit= using verify-commit HEAD, why does it need to be special-cased?
* Not parsing or tested invalid signed tags, not sure how git verify-tag displays errors so that needs more work.
Non-signed tags return an "error: no signature found", non-signed commits just return an error.
* I would like to move the git verification into source/git.sh.in and then re-use the code which extracts #branch, #commit etc. It would also reduce the clutter in verify_signature.sh.in. Another idea is to move the verification into integrity/verify_git.sh.in.
Or extract the logic into a new function and reuse it in integrity/
* Changing the directory is cumbersome. git offers git -C $path verify-tag $tag to resolve that. * Multiple sources, .tar.gz{,asc} and a git one. (Rare but should be handled) Or multiple git sources.
Or put another way, how should a PKGBUILD declare that git GPG verification is demanded, for that particular source?
So tl;dr, I would love to see a pointer where I should call my own verification function for git sources or any other edge-cases I've missed :)
Well, aside from the confusing tab --> spaces thing... (It trips me up too, I keep having to remember to ":set noexpandtab") I have something similar-ish, but probably a lot uglier :p here: https://github.com/eli-schwartz/pacman/commit/edde351d919a5baf8c31764c5cfe9e... -- Eli Schwartz