[pacman-dev] makepkg: verify git sources

Wed Dec 7 20:48:51 UTC 2016

Hi,

I would like to work on verifying git signed tags. So far I've actually
managed to hack it into makepkg, but by missing a lot of edge cases and
well writing an ugly implementation. [1]
Some of this work has been borrowed from the systemd PKGBUILD. [2]

Example with vte3-ng:

==> Validating source files with md5sums...
vte-ng ... Skipped
==> Verifying source file signatures with gpg...
vte-ng ... Passed

Of course the hacks I've put in there are never going to be accepted
even if I bribe Allan with a case of bourbon.

I can think of the following issues, edge-cases which need to be
handled:

* git url, but no #tag= or #commit= specified, should verify HEAD on the
 #branch or no tag, commit, branch case.
* Not parsing or tested invalid signed tags, not sure how git verify-tag
  displays errors so that needs more work.
* I would like to move the git verification into source/git.sh.in and
  then re-use the code which extracts #branch, #commit etc. It would
  also reduce the clutter in verify_signature.sh.in. Another idea is to
  move the verification into integrity/verify_git.sh.in.
* Changing the directory is cumbersome. git offers git -C $path
  verify-tag $tag to resolve that.
* Multiple sources, .tar.gz{,asc} and a git one. (Rare but should be
  handled) Or multiple git sources.

So tl;dr, I would love to see a pointer where I should call my own
verification function for git sources or any other edge-cases I've
missed :)

[1] https://github.com/jelly/pacman/commit/5172a74ed9de422429d18034841acf8025fd34c8
[2] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/systemd

-- 
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161207/fb9560b1/attachment.asc>