Le 16/12/2016 à 21:40, Olivier Brunel a écrit : > On Fri, 16 Dec 2016 14:52:20 -0500 > Eli Schwartz <[email protected]> wrote: > > (...) >> Well, Firefox upstream for one supplies sha512sums in a signed >> file.[1] So this could in theory be used. >> >> The problem is that you can copy the checksums into the PKGBUILD and >> PGP-verify the checksum file, but unless you seriously reorganize >> makepkg's verification logic you cannot download the checksum file, >> PGP-verify it and *then* check the other files based on the checksum >> file. And I don't think anyone else strongly cares about doing that, >> but maybe if you provided a patch it would be accepted? > Well, for the record there is a patch[1] for doing just that (and a > bit more) actually. Because indeed a few upstreams do not provide > signatures of the source code directly, but either detached sig of > a checksum file, or checksums as a signed message. The patch in question > handles both cases. > > And as it happens, it will work with firefox upstream, amongst others. > (Though not with the .dsc files from Debian mentionned in this thread.) > > Cheers, > > [1] > https://lists.archlinux.org/pipermail/pacman-dev/2015-November/020564.html
Interesting (for my part, I was definitively not subscribed to that list at that point). Actually, this patch does much more than I ask for (and a bit less also in a certain way), since I definitively don’t want makepkg to try to be clever about the signed sha*sum file content. So to sum up my point of view, all that would be needed is: 1) Be able to run whatever grep or the like command on any file from the source array in the sha*sum array (that currently does work if the file was already present locally, but not if it had to be downloaded). 2) Make makepkg verify inline PGP signed message. I acknowledge having not enough ease regarding makepkg source code to provide a patch for that any time soon, but whether such a thing would be a good idea or accepted would already be a first step. Regards, Bruno
signature.asc
Description: OpenPGP digital signature
