On 12/07/16 at 09:00pm, Eli Schwartz wrote: > On 12/07/2016 03:48 PM, Jelle van der Waa wrote: > > * git url, but no #tag= or #commit= specified, should verify HEAD on the > > #branch or no tag, commit, branch case. > > I imagine that should be handled just like #commit= using verify-commit > HEAD, why does it need to be special-cased?
Well with #commit you specify a certain commit, so I would say you want
to verify that commit.
> > * Not parsing or tested invalid signed tags, not sure how git verify-tag
> > displays errors so that needs more work.
>
> Non-signed tags return an "error: no signature found", non-signed
> commits just return an error.
Yup, but what about other LOCALE's? Guess it needs a LOCALE=C git..
> > * I would like to move the git verification into source/git.sh.in and
> > then re-use the code which extracts #branch, #commit etc. It would
> > also reduce the clutter in verify_signature.sh.in. Another idea is to
> > move the verification into integrity/verify_git.sh.in.
>
> Or extract the logic into a new function and reuse it in integrity/
>
> > * Changing the directory is cumbersome. git offers git -C $path
> > verify-tag $tag to resolve that.
> > * Multiple sources, .tar.gz{,asc} and a git one. (Rare but should be
> > handled) Or multiple git sources.
>
> Or put another way, how should a PKGBUILD declare that git GPG
> verification is demanded, for that particular source?
I'd say if it has validpgpkeys=('234234') we verify the git tag. Which
would require extracting the VALIDGSIG 23423 from git verify-tag --raw
v12.
> I have something similar-ish, but probably a lot uglier :p here:
> https://github.com/eli-schwartz/pacman/commit/edde351d919a5baf8c31764c5cfe9e058a2a5771
Hmm looks less ugly somehow though ;-)
--
Jelle van der Waa
signature.asc
Description: PGP signature
