[pacman-dev] Could makepkg verify .dsc file?
Olivier Brunel
jjk at jjacky.com
Fri Dec 16 20:40:29 UTC 2016
On Fri, 16 Dec 2016 14:52:20 -0500
Eli Schwartz <eschwartz93 at gmail.com> wrote:
(...)
>
> Well, Firefox upstream for one supplies sha512sums in a signed
> file.[1] So this could in theory be used.
>
> The problem is that you can copy the checksums into the PKGBUILD and
> PGP-verify the checksum file, but unless you seriously reorganize
> makepkg's verification logic you cannot download the checksum file,
> PGP-verify it and *then* check the other files based on the checksum
> file. And I don't think anyone else strongly cares about doing that,
> but maybe if you provided a patch it would be accepted?
Well, for the record there is a patch[1] for doing just that (and a
bit more) actually. Because indeed a few upstreams do not provide
signatures of the source code directly, but either detached sig of
a checksum file, or checksums as a signed message. The patch in question
handles both cases.
And as it happens, it will work with firefox upstream, amongst others.
(Though not with the .dsc files from Debian mentionned in this thread.)
Cheers,
[1]
https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html
More information about the pacman-dev
mailing list