[pacman-dev] makepkg: verify git sources

Eli Schwartz eschwartz93 at gmail.com
Thu Dec 8 12:56:05 UTC 2016


On 12/08/2016 03:14 AM, Jelle van der Waa wrote:
> On 12/07/16 at 09:00pm, Eli Schwartz wrote:
>> On 12/07/2016 03:48 PM, Jelle van der Waa wrote:
>>> * git url, but no #tag= or #commit= specified, should verify HEAD on the
>>>  #branch or no tag, commit, branch case.
>>
>> I imagine that should be handled just like #commit= using verify-commit
>> HEAD, why does it need to be special-cased?
> 
> Well with #commit you specify a certain commit, so I would say you want
> to verify that commit.

Huhhhh... right. We're checking the bare source repo, not the copy in
$srcdir which is checked out to the correct $commit.
Too true. :o

>> Or put another way, how should a PKGBUILD declare that git GPG
>> verification is demanded, for that particular source?
> 
> I'd say if it has validpgpkeys=('234234') we verify the git tag. Which
> would require extracting the VALIDGSIG 23423 from git verify-tag --raw
> v12.

What happens when you have validpgpkeys and want to check a file but the
repository is not signed? What happens when you have two repositories
and only one is signed?

>> I have something similar-ish, but probably a lot uglier :p here:
>> https://github.com/eli-schwartz/pacman/commit/edde351d919a5baf8c31764c5cfe9e058a2a5771
> 
> Hmm looks less ugly somehow though ;-)

Well, the more you do the uglier it looks...

Anyway, that patch suffers from critical existence failure, see the next
commit:
https://github.com/eli-schwartz/pacman/tree/makepkg-git-verification


-- 
Eli Schwartz


More information about the pacman-dev mailing list