[pacman-dev] [PATCH] makepkg: sums: Add FILE and SIGNED-MSG modes

Allan McRae allan at archlinux.org
Fri Nov 6 05:12:51 UTC 2015 

On 06/11/15 04:48, Olivier Brunel wrote:
> Verifying PGP signatures was only done by expecting them to be detached
> signature of the source code, which is the case on many occasions.
> However, some upstreams actually do things a bit differently, specifically there
> are two other main ways things can be done:
> 
> - a checksum file is provided, as well as a detached signature of that file. For
>   such cases, this adds a special mode (alongside SKIP) to the sums array: FILE
>   In that case, for filename.ext a file filename.ext.$ALGO is expected to be a
>   standard checksum file - i.e. contain at least a line with the hash, spaces,
>   then the filename - and the hash used will be the one from that file.
>   Obviously this should be used when a detached signature of the file is
>   provided, which will be treated by makepkg just as usual.
>   An example package could be firefox.
> 
> - a checksum file is provided as a signed message. For such cases, this adds a
>   mode SIGNED-MSG, as it expects a file filename.ext.$ALGO.signed-msg to be the
>   signed message. Upon hash checking, it will "extract" said message from the
>   file via gpg, then use it much like in the FILE case.
>   And during PGP signature checking, *.signed-msg files are verified as signed
>   messages instead of detached signatures.
>   An example package could be harfbuzz.
> 
> Note that this doesn't change generation (--geninteg) since it can't be done
> automatically.
> 
> Signed-off-by: Olivier Brunel <jjk at jjacky.com>

I am going to canvas on opinions for this.

My opinion is that this should not be included in makepkg because of
there being no standard on the format of any of these files.  You have
used the output of coreutils hashing tools, but upstreams could use
openssl, or anything else.  If we support one, we need to support them all.

Also, the packager needs to download the checksum files and their
signatures to verify the source while packaging.  Putting the has in the
PKGBUILD prevents everyone else doing this.  It also prevents upstream
changing the released source (it happens...), and hash files and no-one
noticing.

Allan

More information about the pacman-dev mailing list