On 12/08/16 at 07:56am, Eli Schwartz wrote:
On 12/08/2016 03:14 AM, Jelle van der Waa wrote:
On 12/07/16 at 09:00pm, Eli Schwartz wrote:
On 12/07/2016 03:48 PM, Jelle van der Waa wrote:
* git url, but no #tag= or #commit= specified, should verify HEAD on the #branch or no tag, commit, branch case.
I imagine that should be handled just like #commit= using verify-commit HEAD, why does it need to be special-cased?
Well with #commit you specify a certain commit, so I would say you want to verify that commit.
Huhhhh... right. We're checking the bare source repo, not the copy in $srcdir which is checked out to the correct $commit. Too true. :o
Or put another way, how should a PKGBUILD declare that git GPG verification is demanded, for that particular source?
I'd say if it has validpgpkeys=('234234') we verify the git tag. Which would require extracting the VALIDGSIG 23423 from git verify-tag --raw v12.
What happens when you have validpgpkeys and want to check a file but the repository is not signed? What happens when you have two repositories and only one is signed?
Yes that's tricky, and exactly why I wanted to start a discussion here :) -- Jelle van der Waa