[arch-general] gpg source validation for kernel.org style signatures

Christian Hesse list at eworm.de
Mon Jan 5 06:46:35 UTC 2015

Doug Newgard <scimmia at archlinux.info> on Sun, 2015/01/04 16:03:
> On Sun, 4 Jan 2015 22:05:21 +0100
> Christian Hesse <list at eworm.de> wrote:
> > Hello everybody,
> > 
> > pacman 4.2.0 gained support for verifying source tarballs with
> > kernel.org style signature. Some (even essential) packages could
> > benefit from that, linux and git come to mind.
> > 
> > How to handle this? Report a bug for every package? Provide a list
> > here?
> A lot of it is already happening:
> https://www.archlinux.org/todo/validpgpkeys-integrity-check/

This is about validpgpkeys array. Glad to see this happen, but it is not what
I was speaking about: If the tar archive (instead of the compressed archive)
was signed pacman < 4.2.0 could not check. That is why you can not find these
with grep.

> If you want it added to a package that isn't on that list, the bug
> tracker is probably the best bet. Note that the linux package already
> has it.

Ah, I can see it on the website, but abs did not yet sync it. Thanks!
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Chris           get my mail address:    */=0;b=c[a++];)
putchar(b-1/(/*               gcc -o sig sig.c && ./sig    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150105/7b6bf932/attachment.bin>

More information about the arch-general mailing list