[pacman-dev] makepkg: verify git sources
Eli Schwartz
eschwartz93 at gmail.com
Thu Dec 8 17:26:10 UTC 2016
On 12/08/2016 09:28 AM, Jelle van der Waa wrote:
> On 12/08/16 at 07:56am, Eli Schwartz wrote:
>> What happens when you have validpgpkeys and want to check a file but the
>> repository is not signed? What happens when you have two repositories
>> and only one is signed?
>
> Yes that's tricky, and exactly why I wanted to start a discussion here
> :)
So currently everything works correctly, absent this^^.
Checked with signed tags, branches, commits.
Actually, there is no validpgpkeys check, since file signatures still
fail when pgpsigs are checked but no validpgpkeys are declared (so why
change that if we don't have to), but other than that...
Way too many if statements, hopefully that can be reworked somehow, but
the important thing is it doesn't fall over.
Possibilities for switching on repository signature checking:
- Add something to the url fragment to indicate it is signed.
- All-or-nothing (distasteful) check on
```
(( ${#validpgpkeys[@]} > 0 ))
```
- Warn and continue (distasteful)? We should hope for something better
than second-class citizenship.
Anyone else have ideas on this?
--
Eli Schwartz
More information about the pacman-dev
mailing list