[PATCH] makepkg: Implement the verify function
Morten Linderud
foxboron at archlinux.org
Sat Jun 25 14:59:47 UTC 2022
On Sun, Jun 26, 2022 at 12:55:22AM +1000, Allan McRae wrote:
> On 29/5/22 00:18, Morten Linderud wrote:
> > From: Morten Linderud <morten at linderud.pw>
> >
> > This patch implements a new verify function in makepkg. It allows us to
> > do arbitrary authentication on sources before extraction.
> >
> > There are several new signing and validation methods being implemented
> > and it would be hard to have `makepkg` implement support for things such
> > as sequoia, cosign or minisign. This would allow us to distribute
> > generic validation functions.
> >
> > This also implements a new `copy_` routine for our protocols as we need
> > to have a separation between extracting sources and copying sources.
>
> I have looked at this patch and I have no idea what the copy_... is supposed
> to do here at all. Why would anything need copied into $srcdir before
> verification? This does not appear necessary for and of sequoia, cosign or
> minisign.
>
> Allan
Currently makepkg does copying and extraction as one routine. Nothing is
currently available in `$srcdir` and there is no way to have files available in
`$srcdir` without actually extracting them as well.
How could sequioa/cosign/minisign verify files if there is no files in `$srcdir`?
--
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20220625/572fa3ad/attachment-0001.sig>
More information about the pacman-dev
mailing list