[pacman-dev] Could makepkg verify .dsc file?

Allan McRae allan at archlinux.org
Fri Dec 16 00:00:32 UTC 2016


On 16/12/16 09:23, Bruno Pagani wrote:
> Le 16/12/2016 à 00:13, Allan McRae a écrit :
> 
>> On 16/12/16 08:29, Bruno Pagani wrote:
>>> Hi there,
>>>
>>> This is probably some sort of feature request or maybe more general asking.
>>>
>>> I have a case where sha*sums are provided in a .dsc signed file
>>> (bs1770gain, for which *sane* upstream is Debian:
>>> https://packages.debian.org/source/sid/bs1770gain). Apparently, makepkg
>>> only supports verifying file with detached signature. Is there a
>>> specific reason for that (like this use case is really tiny — I have no
>>> actual idea about this) or is it just because it was never implemented?
>>>
>> The format of signed checksum files varies a lot.  I don't want to
>> attempt to autodetect each one as that will create a future nightmare.
>>
>> Also, what is gained vs putting the checksums into the PKGBUILD?
>>
>> A
> 
> Easy verification of source for other people building the package (here
> from AUR, but could be from ABS). Or maybe I misunderstood the point of
> having PGP verification in makepkg?
> 

PGP verification in makepkg is to verify PGP signatures for sources.
Here, we just get checksums that are signed.  So it only used the
checksum to verify the source.  Just putting the checksum in the
PKGBUILD provides the same (assuming you trust the PKGBUILD...)

> The idea is to be able to just put the .dsc file in the sources array
> and extract the checksum from it in the sha*sums array (here I just
> write "$(grep -A1 Sha256 ${pkgname}_${pkgver}-1.dsc | tail -n 1 | cut -d
> ' ' -f 2)" in there), while having makepkg verify the .dsc file.

The Debian format is well defined, but other upstream sources provide
similar signed checksum files that have varying formats.

> Anyway, I understand your point, I never thought the format could be
> something else than a PGP signed message with or without detached
> signature. Or maybe you were thinking of extracting the sha*sums (which
> is then probably linked to my first point — my possible misunderstanding
> of PGP verification in makepkg)?
> 
> Thanks,
> Bruno
> 


More information about the pacman-dev mailing list