[pacman-dev] Could makepkg verify .dsc file?

Bruno Pagani bruno.pagani at ens-lyon.org
Fri Dec 16 22:16:51 UTC 2016


Le 16/12/2016 à 21:40, Olivier Brunel a écrit :

> On Fri, 16 Dec 2016 14:52:20 -0500
> Eli Schwartz <eschwartz93 at gmail.com> wrote:
>
> (...)
>> Well, Firefox upstream for one supplies sha512sums in a signed
>> file.[1] So this could in theory be used.
>>
>> The problem is that you can copy the checksums into the PKGBUILD and
>> PGP-verify the checksum file, but unless you seriously reorganize
>> makepkg's verification logic you cannot download the checksum file,
>> PGP-verify it and *then* check the other files based on the checksum
>> file. And I don't think anyone else strongly cares about doing that,
>> but maybe if you provided a patch it would be accepted?
> Well, for the record there is a patch[1] for doing just that (and a
> bit more) actually. Because indeed a few upstreams do not provide
> signatures of the source code directly, but either detached sig of
> a checksum file, or checksums as a signed message. The patch in question
> handles both cases.
>
> And as it happens, it will work with firefox upstream, amongst others.
> (Though not with the .dsc files from Debian mentionned in this thread.)
>
> Cheers,
>
> [1]
> https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html

Interesting (for my part, I was definitively not subscribed to that list
at that point). Actually, this patch does much more than I ask for (and
a bit less also in a certain way), since I definitively don’t want
makepkg to try to be clever about the signed sha*sum file content.

So to sum up my point of view, all that would be needed is:

1) Be able to run whatever grep or the like command on any file from the
source array in the sha*sum array (that currently does work if the file
was already present locally, but not if it had to be downloaded).
2) Make makepkg verify inline PGP signed message.

I acknowledge having not enough ease regarding makepkg source code to
provide a patch for that any time soon, but whether such a thing would
be a good idea or accepted would already be a first step.

Regards,
Bruno

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 525 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20161216/466f3948/attachment.asc>


More information about the pacman-dev mailing list