On 01/03/17 at 03:22pm, Allan McRae wrote: > On 17/12/16 04:56, Eli Schwartz wrote: > > A git repository is marked as signed if it contains the query "signed" > > as defined by https://tools.ietf.org/html/rfc3986 > > > > Adds two utility functions in util/source.sh.in to extract fragments and > > queries, and modifies source/git.sh.in to use them. > > > > Needs documentation added. e.g. can the query string occur anywhere > relative to the fragment? > > > Signed-off-by: Eli Schwartz <[email protected]> > > --- > > .../libmakepkg/integrity/verify_signature.sh.in | 56 > > ++++++++++++++++++---- > > scripts/libmakepkg/source/git.sh.in | 11 ++--- > > scripts/libmakepkg/util/source.sh.in | 27 +++++++++++ > > 3 files changed, 76 insertions(+), 18 deletions(-) > > > > diff --git a/scripts/libmakepkg/integrity/verify_signature.sh.in > > b/scripts/libmakepkg/integrity/verify_signature.sh.in > > index 6df62727..634958f9 100644 > > --- a/scripts/libmakepkg/integrity/verify_signature.sh.in > > +++ b/scripts/libmakepkg/integrity/verify_signature.sh.in > > @@ -32,11 +32,12 @@ check_pgpsigs() { > > > > msg "$(gettext "Verifying source file signatures with %s...")" "gpg" > > > > - local file ext decompress found pubkey success status fingerprint > > trusted > > + local netfile file ext decompress found pubkey success status > > fingerprint trusted > > local warning=0 > > local errors=0 > > local statusfile=$(mktemp) > > local all_sources > > + local proto dir fragment query fragtype fragval > > > > case $1 in > > all) > > @@ -46,15 +47,38 @@ check_pgpsigs() { > > get_all_sources_for_arch 'all_sources' > > ;; > > esac > > - for file in "${all_sources[@]}"; do > > - file="$(get_filename "$file")" > > - if [[ $file != *.@(sig?(n)|asc) ]]; then > > + for netfile in "${all_sources[@]}"; do > > + file="$(get_filename "$netfile")" > > + proto="$(get_protocol "$netfile")" > > + dir=$(get_filepath "$netfile") > > + fragment=$(get_uri_fragment "$netfile") > > + query=$(get_uri_query "$netfile") > > + > > + if [[ $proto = git* && $query = signed ]]; then > > + case ${fragment%%=*} in > > + tag) > > + fragtype=tag > > + fragval=${fragment##*=} > > + ;; > > + commit|branch) > > + fragtype=commit > > + fragval=${fragment##*=} > > + ;; > > + '') > > + fragtype=commit > > + fragval=HEAD > > + esac > > I'm guessing other modern VCS tools can have signatures verified too? > This function will become a mess when they are included. Please split > out git and standard file verification to their own functions called > within this one.
It seems that SVN does not support signing commits, CVS has no support for it either and mercurial has an extension for it. [1] [1] https://www.mercurial-scm.org/wiki/GpgExtension -- Jelle van der Waa
signature.asc
Description: PGP signature
