Hi, I would like to work on verifying git signed tags. So far I've actually managed to hack it into makepkg, but by missing a lot of edge cases and well writing an ugly implementation. [1] Some of this work has been borrowed from the systemd PKGBUILD. [2] Example with vte3-ng: ==> Validating source files with md5sums... vte-ng ... Skipped ==> Verifying source file signatures with gpg... vte-ng ... Passed Of course the hacks I've put in there are never going to be accepted even if I bribe Allan with a case of bourbon. I can think of the following issues, edge-cases which need to be handled: * git url, but no #tag= or #commit= specified, should verify HEAD on the #branch or no tag, commit, branch case. * Not parsing or tested invalid signed tags, not sure how git verify-tag displays errors so that needs more work. * I would like to move the git verification into source/git.sh.in and then re-use the code which extracts #branch, #commit etc. It would also reduce the clutter in verify_signature.sh.in. Another idea is to move the verification into integrity/verify_git.sh.in. * Changing the directory is cumbersome. git offers git -C $path verify-tag $tag to resolve that. * Multiple sources, .tar.gz{,asc} and a git one. (Rare but should be handled) Or multiple git sources. So tl;dr, I would love to see a pointer where I should call my own verification function for git sources or any other edge-cases I've missed :) [1] https://github.com/jelly/pacman/commit/5172a74ed9de422429d18034841acf8025fd3... [2] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packag... -- Jelle van der Waa