[pacman-dev] Could makepkg verify .dsc file?

Fri Dec 16 13:37:54 UTC 2016

Le 16/12/2016 à 01:00, Allan McRae a écrit :

> On 16/12/16 09:23, Bruno Pagani wrote:
>> Le 16/12/2016 à 00:13, Allan McRae a écrit :
>>> On 16/12/16 08:29, Bruno Pagani wrote:
>>>> Hi there,
>>>>
>>>> This is probably some sort of feature request or maybe more general asking.
>>>>
>>>> I have a case where sha*sums are provided in a .dsc signed file
>>>> (bs1770gain, for which *sane* upstream is Debian:
>>>> https://packages.debian.org/source/sid/bs1770gain). Apparently, makepkg
>>>> only supports verifying file with detached signature. Is there a
>>>> specific reason for that (like this use case is really tiny — I have no
>>>> actual idea about this) or is it just because it was never implemented?
>>>>
>>> The format of signed checksum files varies a lot.  I don't want to
>>> attempt to autodetect each one as that will create a future nightmare.
>>>
>>> Also, what is gained vs putting the checksums into the PKGBUILD?
>>>
>>> A
>> Easy verification of source for other people building the package (here
>> from AUR, but could be from ABS). Or maybe I misunderstood the point of
>> having PGP verification in makepkg?
>>
> PGP verification in makepkg is to verify PGP signatures for sources.
> Here, we just get checksums that are signed.  So it only used the
> checksum to verify the source.  Just putting the checksum in the
> PKGBUILD provides the same (assuming you trust the PKGBUILD...)

On AUR, trusting the PKGBUILD is not a good idea. ;) But I think that
even in the main repos it does matter, because from one glance at the
PKGBUILD I can see that the maintainer is aware of the existence of this
signed file and make use of it. And else what is the difference then
with this case: sources are signed, the maintainer has verified the
signature and then just added the (calculated/provided) sha*sum to the
PKGBUILD?

>> The idea is to be able to just put the .dsc file in the sources array
>> and extract the checksum from it in the sha*sums array (here I just
>> write "$(grep -A1 Sha256 ${pkgname}_${pkgver}-1.dsc | tail -n 1 | cut -d
>> ' ' -f 2)" in there), while having makepkg verify the .dsc file.
> The Debian format is well defined, but other upstream sources provide
> similar signed checksum files that have varying formats.

But does checking them with `gpg --verify <sums.dsc>` work? Because
that’s all my point is about. I don’t want makepkg to extract the sums
from the file, that would be done in the PKGBUILD. However, if I could
get it to verify that file that would be nice. ;)

Anyway, as you can see in my answer to Eli, I might not be needing that
anymore actually, but I’m still wondering whether makepkg should verify
with GPG any files in .dsc provided in the source array like it does for
.asc/.sig files. Once again, not asking to do anything clever with the
actual content of that file, just verifying its sig. My point is really
about verifying attached sigs like it’s done for detached ones.

Thanks,
Bruno

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161216/fdffb76b/attachment.asc>