[pacman-dev] makepkg: verify git sources
Jelle van der Waa
jelle at vdwaa.nl
Thu Dec 8 14:28:50 UTC 2016
On 12/08/16 at 07:56am, Eli Schwartz wrote:
> On 12/08/2016 03:14 AM, Jelle van der Waa wrote:
> > On 12/07/16 at 09:00pm, Eli Schwartz wrote:
> >> On 12/07/2016 03:48 PM, Jelle van der Waa wrote:
> >>> * git url, but no #tag= or #commit= specified, should verify HEAD on the
> >>> #branch or no tag, commit, branch case.
> >>
> >> I imagine that should be handled just like #commit= using verify-commit
> >> HEAD, why does it need to be special-cased?
> >
> > Well with #commit you specify a certain commit, so I would say you want
> > to verify that commit.
>
> Huhhhh... right. We're checking the bare source repo, not the copy in
> $srcdir which is checked out to the correct $commit.
> Too true. :o
>
> >> Or put another way, how should a PKGBUILD declare that git GPG
> >> verification is demanded, for that particular source?
> >
> > I'd say if it has validpgpkeys=('234234') we verify the git tag. Which
> > would require extracting the VALIDGSIG 23423 from git verify-tag --raw
> > v12.
>
> What happens when you have validpgpkeys and want to check a file but the
> repository is not signed? What happens when you have two repositories
> and only one is signed?
Yes that's tricky, and exactly why I wanted to start a discussion here
:)
--
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161208/fc984bbc/attachment.asc>
More information about the pacman-dev
mailing list