[pacman-dev] Could makepkg verify .dsc file?

Thu Dec 15 23:23:38 UTC 2016

Le 16/12/2016 à 00:13, Allan McRae a écrit :

> On 16/12/16 08:29, Bruno Pagani wrote:
>> Hi there,
>>
>> This is probably some sort of feature request or maybe more general asking.
>>
>> I have a case where sha*sums are provided in a .dsc signed file
>> (bs1770gain, for which *sane* upstream is Debian:
>> https://packages.debian.org/source/sid/bs1770gain). Apparently, makepkg
>> only supports verifying file with detached signature. Is there a
>> specific reason for that (like this use case is really tiny — I have no
>> actual idea about this) or is it just because it was never implemented?
>>
> The format of signed checksum files varies a lot.  I don't want to
> attempt to autodetect each one as that will create a future nightmare.
>
> Also, what is gained vs putting the checksums into the PKGBUILD?
>
> A

Easy verification of source for other people building the package (here
from AUR, but could be from ABS). Or maybe I misunderstood the point of
having PGP verification in makepkg?

The idea is to be able to just put the .dsc file in the sources array
and extract the checksum from it in the sha*sums array (here I just
write "$(grep -A1 Sha256 ${pkgname}_${pkgver}-1.dsc | tail -n 1 | cut -d
' ' -f 2)" in there), while having makepkg verify the .dsc file.

Anyway, I understand your point, I never thought the format could be
something else than a PGP signed message with or without detached
signature. Or maybe you were thinking of extracting the sha*sums (which
is then probably linked to my first point — my possible misunderstanding
of PGP verification in makepkg)?

Thanks,
Bruno

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161216/157ae469/attachment.asc>