[pacman-dev] makepkg: verify git sources
Eli Schwartz
eschwartz93 at gmail.com
Thu Dec 8 02:00:53 UTC 2016
On 12/07/2016 03:48 PM, Jelle van der Waa wrote:
> I would like to work on verifying git signed tags. So far I've actually
> managed to hack it into makepkg, but by missing a lot of edge cases and
> well writing an ugly implementation. [1]
> Some of this work has been borrowed from the systemd PKGBUILD. [2]
This is something I want to see also.
> Of course the hacks I've put in there are never going to be accepted
> even if I bribe Allan with a case of bourbon.
>
> I can think of the following issues, edge-cases which need to be
> handled:
>
> * git url, but no #tag= or #commit= specified, should verify HEAD on the
> #branch or no tag, commit, branch case.
I imagine that should be handled just like #commit= using verify-commit
HEAD, why does it need to be special-cased?
> * Not parsing or tested invalid signed tags, not sure how git verify-tag
> displays errors so that needs more work.
Non-signed tags return an "error: no signature found", non-signed
commits just return an error.
> * I would like to move the git verification into source/git.sh.in and
> then re-use the code which extracts #branch, #commit etc. It would
> also reduce the clutter in verify_signature.sh.in. Another idea is to
> move the verification into integrity/verify_git.sh.in.
Or extract the logic into a new function and reuse it in integrity/
> * Changing the directory is cumbersome. git offers git -C $path
> verify-tag $tag to resolve that.
> * Multiple sources, .tar.gz{,asc} and a git one. (Rare but should be
> handled) Or multiple git sources.
Or put another way, how should a PKGBUILD declare that git GPG
verification is demanded, for that particular source?
> So tl;dr, I would love to see a pointer where I should call my own
> verification function for git sources or any other edge-cases I've
> missed :)
Well, aside from the confusing tab --> spaces thing...
(It trips me up too, I keep having to remember to ":set noexpandtab")
I have something similar-ish, but probably a lot uglier :p here:
https://github.com/eli-schwartz/pacman/commit/edde351d919a5baf8c31764c5cfe9e058a2a5771
--
Eli Schwartz
More information about the pacman-dev
mailing list