SSH commit signatures on AUR
Sebastian Wiesner
sebastian at swsnr.de
Mon Apr 4 10:33:36 UTC 2022
Am Montag, dem 04.04.2022 um 10:20 +0200 schrieb Jelle van der Waa via
aur-dev:
> On 02/04/2022 09:50, Sebastian Wiesner via aur-dev wrote:
> > Am Freitag, dem 01.04.2022 um 18:33 -0700 schrieb Kevin Morris via
> > aur-
> > dev:
> > > This brings up a question, though:
> > >
> > > How do we treat verified commits? Do we check these at all from a
> > > server, standpoint, or is it purely for consumers?
> > >
> > > I already sign my AUR commits, and I can verify them:
> > >
> > > (venv) { kevr sprunge } > git verify-commit
> > > 8d5259274278ac103c45622ed91b5ee83673db2
> > > gpg: Signature made Mon 03 Jan 2022 01:28:24 PM PST
> > > gpg: using RSA key
> > > 0F985B6F99B6686854C44EC3F7E46DED420788F3
> > > gpg: Good signature from "Kevin Morris (kevr) <kevr at 0cost.org>"
> > > [ultimate]
> > >
> > > So this seems to already be possible. Are we looking for some
> > > kind of
> > > AUR package webview visible Verified tag that shows when HEAD is
> > > verified?
> >
> > I'd like to have a "Verified" badge in order to encourage signing.
>
> As AURWeb uses cgit to display git commits, showing a verified badge
> should be implemented upstream. [1]
I'd like that badge to have a prominent place on the AUR package pages
not hidden away in the Git commit display (I didn't even know that this
existed so far). E.g. right under the "Git clone URL" there could be a
"HEAD commit: Signed by package maintainer"
or
"HEAD commit: Unsigned/unknown signature"
line to indicate that the latest commit was or wasn't signed with an
SSH or PGP key of one of the maintainers of the package.
Cheers,
Basti
More information about the aur-dev
mailing list