[pacman-dev] makepkg: verify git sources
Eli Schwartz
eschwartz93 at gmail.com
Fri Dec 16 18:56:35 UTC 2016
So, I think this is done now. I had to fix a few other embarrassing
mistakes (see https://github.com/eli-schwartz/pacman/tree/makepkg-git-verify )
but everything should work now. I've tested it on git and http sources,
with and without signatures, and it consistently does the right thing
(at last).
I decided to check for the existence of git signed objects later rather
than earlier. It is possible for e.g. a (weird) commit message to
trigger a match with grep, so better to be explicit even if the flow is
a bit odd. Too bad git doesn't have a way to dump a signature directly.
--
Eli Schwartz
More information about the pacman-dev
mailing list