[arch-general] gpg source validation for kernel.org style signatures

Daniel Micay danielmicay at gmail.com
Mon Jan 5 09:09:50 UTC 2015

On 04/01/15 04:05 PM, Christian Hesse wrote:
> Hello everybody,
> pacman 4.2.0 gained support for verifying source tarballs with kernel.org
> style signature. Some (even essential) packages could benefit from that,
> linux and git come to mind.
> How to handle this? Report a bug for every package? Provide a list here?

I would create a wiki page with the list and then see if you can find a
developer interested in mass-adding the missing signatures. I'd be
interested in helping with it for [community], but you'll likely be able
to do it yourself soon ;).

Note that you should check svn rather than abs because theres usually no
rebuild for something like this. The linux{-lts,-grsec} packages are
using the new feature now.

I expect that this can be automated to a large extent. Looking for files
with .asc / .sig extensions doesn't need to be done by hand. It also
makes sense to figure out which packages can use HTTPS to fetch sources
since that's a lot better than nothing if no signatures are available.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150105/02098088/attachment-0001.bin>

More information about the arch-general mailing list