- Do PKGBUILDs support signing the PKGBUILD and verifying that signature? (This seems like a good feature for yaourt or possible makepkg if it isn't one already.) It seems like if you want safety from MITM attacks, PGP sigs are the way to go, either sign the PKGBUILD and put the checksum in there, or include the signature of the source file in the tarball/pkg. (This is already provided for binary pkgs, but not source ones, correct? Seems easy enough to add a PKGBUILD signature and teach makepkg to use it.)
On Mon, Oct 21, 2013 at 10:13 PM, Doug Newgard <[email protected]>wrote: > ---------------------------------------- > > From: [email protected] > > Date: Tue, 22 Oct 2013 01:56:16 +0100 > > To: [email protected] > > Subject: [aur-general] Support for remote sums in PKGBUILDs > > > > Breaking away from an IRC convo from this morning; has support for > > remote sums been considered for pacman? > > It's currently possible to do this for .sig files (through the source > > array), but not available for simple sha/md5 hashes. This would let > > packagers do something like: > > source=("http://example.com/downloads/$pkgname-$pkgver.tar.xz";) > > sha1sums=("http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1";) > > > > (Of course, only for servers that generate a programmatically > > discoverable hash of some sort; but it's not actually uncommon) > > > > J. Leclanche > > Couldn't you just do: > sha1sums=("$(curl > http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1)") > > It kind of defeats the purpose, though. If the server is hacked or someone > does a MitM, they can easily replace the checksum file as well. >
