On 19/07/15 15:29, Gaetan Bisson wrote: > [2015-07-19 06:52:39 +0200] Jerome Leclanche: >> git tags can and should be pgp-signed, especially if the upstream is >> relying purely on git for releases. Is any package not covered by >> that? > > That would certainly be the ideal way of doing things but I don't > believe pacman currently knows how to verify these. >
I guess that would be easy to add into makepkg. Look at scripts/libmakepkg/source/git.sh in the pacman.git tree... A