SSH commit signatures on AUR

Jelle van der Waa jelle at vdwaa.nl
Mon Apr 4 08:20:07 UTC 2022


On 02/04/2022 09:50, Sebastian Wiesner via aur-dev wrote:
> Am Freitag, dem 01.04.2022 um 18:33 -0700 schrieb Kevin Morris via aur-
> dev:
>> This brings up a question, though:
>>
>> How do we treat verified commits? Do we check these at all from a
>> server, standpoint, or is it purely for consumers?
>>
>> I already sign my AUR commits, and I can verify them:
>>
>> (venv) { kevr sprunge } > git verify-commit
>> 8d5259274278ac103c45622ed91b5ee83673db2
>> gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST
>> gpg:                using RSA key
>> 0F985B6F99B6686854C44EC3F7E46DED420788F3
>> gpg: Good signature from "Kevin Morris (kevr) <kevr at 0cost.org>"
>> [ultimate]
>>
>> So this seems to already be possible. Are we looking for some kind of
>> AUR package webview visible Verified tag that shows when HEAD is
>> verified?
> 
> I'd like to have a "Verified" badge in order to encourage signing.

As AURWeb uses cgit to display git commits, showing a verified badge 
should be implemented upstream. [1]

[1] https://git.zx2c4.com/cgit/about/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-dev/attachments/20220404/d33ee189/attachment.sig>


More information about the aur-dev mailing list