On 12/08/16 at 07:56am, Eli Schwartz wrote:
> On 12/08/2016 03:14 AM, Jelle van der Waa wrote:
> > On 12/07/16 at 09:00pm, Eli Schwartz wrote:
> >> On 12/07/2016 03:48 PM, Jelle van der Waa wrote:
> >>> * git url, but no #tag= or #commit= specified, should verify HEAD on the
> >>> #branch or no tag, commit, branch case.
> >>
> >> I imagine that should be handled just like #commit= using verify-commit
> >> HEAD, why does it need to be special-cased?
> >
> > Well with #commit you specify a certain commit, so I would say you want
> > to verify that commit.
>
> Huhhhh... right. We're checking the bare source repo, not the copy in
> $srcdir which is checked out to the correct $commit.
> Too true. :o
>
> >> Or put another way, how should a PKGBUILD declare that git GPG
> >> verification is demanded, for that particular source?
> >
> > I'd say if it has validpgpkeys=('234234') we verify the git tag. Which
> > would require extracting the VALIDGSIG 23423 from git verify-tag --raw
> > v12.
>
> What happens when you have validpgpkeys and want to check a file but the
> repository is not signed? What happens when you have two repositories
> and only one is signed?Yes that's tricky, and exactly why I wanted to start a discussion here :) -- Jelle van der Waa
signature.asc
Description: PGP signature
