[pacman-dev] [PATCH] makepkg: Verify git signatures

Jelle van der Waa jelle at vdwaa.nl
Tue Jan 3 07:51:48 UTC 2017 

On 01/03/17 at 03:22pm, Allan McRae wrote:
> On 17/12/16 04:56, Eli Schwartz wrote:
> > A git repository is marked as signed if it contains the query "signed"
> > as defined by https://tools.ietf.org/html/rfc3986
> > 
> > Adds two utility functions in util/source.sh.in to extract fragments and
> > queries, and modifies source/git.sh.in to use them.
> > 
> 
> Needs documentation added.  e.g. can the query string occur anywhere
> relative to the fragment?
> 
> > Signed-off-by: Eli Schwartz <eschwartz93 at gmail.com>
> > ---
> >  .../libmakepkg/integrity/verify_signature.sh.in    | 56 ++++++++++++++++++----
> >  scripts/libmakepkg/source/git.sh.in                | 11 ++---
> >  scripts/libmakepkg/util/source.sh.in               | 27 +++++++++++
> >  3 files changed, 76 insertions(+), 18 deletions(-)
> > 
> > diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in b/scripts/libmakepkg/integrity/verify_signature.sh.in
> > index 6df62727..634958f9 100644
> > --- a/scripts/libmakepkg/integrity/verify_signature.sh.in
> > +++ b/scripts/libmakepkg/integrity/verify_signature.sh.in
> > @@ -32,11 +32,12 @@ check_pgpsigs() {
> >  
> >  	msg "$(gettext "Verifying source file signatures with %s...")" "gpg"
> >  
> > -	local file ext decompress found pubkey success status fingerprint trusted
> > +	local netfile file ext decompress found pubkey success status fingerprint trusted
> >  	local warning=0
> >  	local errors=0
> >  	local statusfile=$(mktemp)
> >  	local all_sources
> > +	local proto dir fragment query fragtype fragval
> >  
> >  	case $1 in
> >  		all)
> > @@ -46,15 +47,38 @@ check_pgpsigs() {
> >  			get_all_sources_for_arch 'all_sources'
> >  			;;
> >  	esac
> > -	for file in "${all_sources[@]}"; do
> > -		file="$(get_filename "$file")"
> > -		if [[ $file != *.@(sig?(n)|asc) ]]; then
> > +	for netfile in "${all_sources[@]}"; do
> > +		file="$(get_filename "$netfile")"
> > +		proto="$(get_protocol "$netfile")"
> > +		dir=$(get_filepath "$netfile")
> > +		fragment=$(get_uri_fragment "$netfile")
> > +		query=$(get_uri_query "$netfile")
> > +
> > +		if [[ $proto = git* && $query = signed ]]; then
> > +			case ${fragment%%=*} in
> > +				tag)
> > +					fragtype=tag
> > +					fragval=${fragment##*=}
> > +					;;
> > +				commit|branch)
> > +					fragtype=commit
> > +					fragval=${fragment##*=}
> > +					;;
> > +				'')
> > +					fragtype=commit
> > +					fragval=HEAD
> > +			esac
> 
> I'm guessing other modern VCS tools can have signatures verified too?
> This function will become a mess when they are included.  Please split
> out git and standard file verification to their own functions called
> within this one.

It seems that SVN does not support signing commits, CVS has no support
for it either and mercurial has an extension for it. [1]

[1] https://www.mercurial-scm.org/wiki/GpgExtension 

-- 
Jelle van der Waa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170103/88295d15/attachment.asc>

More information about the pacman-dev mailing list