SSH commit signatures on AUR
Sebastian Wiesner
sebastian at swsnr.de
Sat Apr 2 07:50:46 UTC 2022
Am Freitag, dem 01.04.2022 um 18:33 -0700 schrieb Kevin Morris via aur-
dev:
> This brings up a question, though:
>
> How do we treat verified commits? Do we check these at all from a
> server, standpoint, or is it purely for consumers?
>
> I already sign my AUR commits, and I can verify them:
>
> (venv) { kevr sprunge } > git verify-commit
> 8d5259274278ac103c45622ed91b5ee83673db2
> gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST
> gpg: using RSA key
> 0F985B6F99B6686854C44EC3F7E46DED420788F3
> gpg: Good signature from "Kevin Morris (kevr) <kevr at 0cost.org>"
> [ultimate]
>
> So this seems to already be possible. Are we looking for some kind of
> AUR package webview visible Verified tag that shows when HEAD is
> verified?
I'd like to have a "Verified" badge in order to encourage signing.
I also sign my AUR commits, but in my experience most AUR maintainers
don't; making signatures visible in the web interface would be a first
step to encourage signing.
But I'm no really pursuing this anymore, because there's apparently
little interest.
Cheers,
Basti
More information about the aur-dev
mailing list