[aur-general] Support for remote sums in PKGBUILDs
Doug Newgard
scimmia22 at outlook.com
Mon Oct 21 22:40:42 EDT 2013
----------------------------------------
> Date: Mon, 21 Oct 2013 22:19:32 -0400
> From: ido at kernel.org
> To: aur-general at archlinux.org
> Subject: Re: [aur-general] Support for remote sums in PKGBUILDs
>
> - Do PKGBUILDs support signing the PKGBUILD and verifying that signature?
> (This seems like a good feature for yaourt or possible makepkg if it isn't
> one already.)
> It seems like if you want safety from MITM attacks, PGP sigs are the way
> to go, either sign the PKGBUILD and put the checksum in there, or include
> the signature of the source file in the tarball/pkg. (This is already
> provided for binary pkgs, but not source ones, correct? Seems easy enough
> to add a PKGBUILD signature and teach makepkg to use it.)
>
>
>
> On Mon, Oct 21, 2013 at 10:13 PM, Doug Newgard <scimmia22 at outlook.com>wrote:
>
>> ----------------------------------------
>>> From: adys.wh at gmail.com
>>> Date: Tue, 22 Oct 2013 01:56:16 +0100
>>> To: aur-general at archlinux.org
>>> Subject: [aur-general] Support for remote sums in PKGBUILDs
>>>
>>> Breaking away from an IRC convo from this morning; has support for
>>> remote sums been considered for pacman?
>>> It's currently possible to do this for .sig files (through the source
>>> array), but not available for simple sha/md5 hashes. This would let
>>> packagers do something like:
>>> source=("http://example.com/downloads/$pkgname-$pkgver.tar.xz")
>>> sha1sums=("http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1")
>>>
>>> (Of course, only for servers that generate a programmatically
>>> discoverable hash of some sort; but it's not actually uncommon)
>>>
>>> J. Leclanche
>>
>> Couldn't you just do:
>> sha1sums=("$(curl
>> http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1)")
>>
>> It kind of defeats the purpose, though. If the server is hacked or someone
>> does a MitM, they can easily replace the checksum file as well.
>>
Let's be realistic here, you're not going to get all of the PKGBUILDs in the AUR signed with PGP.
More information about the aur-general
mailing list