[arch-general] gpg source validation for kernel.org style signatures

Daniel Micay danielmicay at gmail.com
Mon Jan 5 09:01:12 UTC 2015

On 04/01/15 05:03 PM, Doug Newgard wrote:
> On Sun, 4 Jan 2015 22:05:21 +0100
> Christian Hesse <list at eworm.de> wrote:
>> Hello everybody,
>> pacman 4.2.0 gained support for verifying source tarballs with
>> kernel.org style signature. Some (even essential) packages could
>> benefit from that, linux and git come to mind.
>> How to handle this? Report a bug for every package? Provide a list
>> here?
> A lot of it is already happening:
> https://www.archlinux.org/todo/validpgpkeys-integrity-check/
> If you want it added to a package that isn't on that list, the bug
> tracker is probably the best bet. Note that the linux package already
> has it.
> Doug

That rebuild is just to fix packages that were already using GPG
signatures and need the fingerprint(s) added. There are a lot that could
be using them and aren't yet. This could likely be automated to a large

Using a script to detect if HTTPS works for fetching the sources along
with checking for signature files by appending .asc and .sig seems like
a promising plan.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150105/b40174b8/attachment.bin>

More information about the arch-general mailing list