[pacman-dev] makepkg: verify git sources
Jelle van der Waa
jelle at vdwaa.nl
Thu Dec 8 08:14:52 UTC 2016
On 12/07/16 at 09:00pm, Eli Schwartz wrote:
> On 12/07/2016 03:48 PM, Jelle van der Waa wrote:
> > * git url, but no #tag= or #commit= specified, should verify HEAD on the
> > #branch or no tag, commit, branch case.
>
> I imagine that should be handled just like #commit= using verify-commit
> HEAD, why does it need to be special-cased?
Well with #commit you specify a certain commit, so I would say you want
to verify that commit.
> > * Not parsing or tested invalid signed tags, not sure how git verify-tag
> > displays errors so that needs more work.
>
> Non-signed tags return an "error: no signature found", non-signed
> commits just return an error.
Yup, but what about other LOCALE's? Guess it needs a LOCALE=C git..
> > * I would like to move the git verification into source/git.sh.in and
> > then re-use the code which extracts #branch, #commit etc. It would
> > also reduce the clutter in verify_signature.sh.in. Another idea is to
> > move the verification into integrity/verify_git.sh.in.
>
> Or extract the logic into a new function and reuse it in integrity/
>
> > * Changing the directory is cumbersome. git offers git -C $path
> > verify-tag $tag to resolve that.
> > * Multiple sources, .tar.gz{,asc} and a git one. (Rare but should be
> > handled) Or multiple git sources.
>
> Or put another way, how should a PKGBUILD declare that git GPG
> verification is demanded, for that particular source?
I'd say if it has validpgpkeys=('234234') we verify the git tag. Which
would require extracting the VALIDGSIG 23423 from git verify-tag --raw
v12.
> I have something similar-ish, but probably a lot uglier :p here:
> https://github.com/eli-schwartz/pacman/commit/edde351d919a5baf8c31764c5cfe9e058a2a5771
Hmm looks less ugly somehow though ;-)
--
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161208/116a4c2e/attachment-0001.asc>
More information about the pacman-dev
mailing list