[arch-general] gpg source validation for kernel.org style signatures
Daniel Micay
danielmicay at gmail.com
Mon Jan 5 17:37:06 UTC 2015
On 05/01/15 12:28 PM, Leonid Isaev wrote:
> On Mon, Jan 05, 2015 at 10:16:10AM +0100, Christian Hesse wrote:
>> I do not think we need HTTPS, though it does not hurt. If anybody tries to
>> fool us with man-in-the-middle via HTTP we should detect that just fine with
>> broken signatures (given signatures are provided...).
>>
>> Appending .sign may help as well. In fact for an example file archive.tar.xz
>> we may want to check for {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign}
>>
>> $ export FILE=archive.tar.xz
>> $ echo {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign}
>> archive.tar.xz.asc
>> archive.tar.xz.sig
>> archive.tar.xz.sign
>> archive.tar.asc
>> archive.tar.sig
>> archive.tar.sign
>
> Does makepkg(8) know how to check sigs of .tar files as opposed to .tar.xz?
Yes, it learned how to do that in the most recent release.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20150105/953cee28/attachment.bin>
More information about the arch-general
mailing list