---------------------------------------- > Date: Mon, 21 Oct 2013 22:19:32 -0400 > From: [email protected] > To: [email protected] > Subject: Re: [aur-general] Support for remote sums in PKGBUILDs > > - Do PKGBUILDs support signing the PKGBUILD and verifying that signature? > (This seems like a good feature for yaourt or possible makepkg if it isn't > one already.) > It seems like if you want safety from MITM attacks, PGP sigs are the way > to go, either sign the PKGBUILD and put the checksum in there, or include > the signature of the source file in the tarball/pkg. (This is already > provided for binary pkgs, but not source ones, correct? Seems easy enough > to add a PKGBUILD signature and teach makepkg to use it.) > > > > On Mon, Oct 21, 2013 at 10:13 PM, Doug Newgard <[email protected]>wrote: > >> ---------------------------------------- >>> From: [email protected] >>> Date: Tue, 22 Oct 2013 01:56:16 +0100 >>> To: [email protected] >>> Subject: [aur-general] Support for remote sums in PKGBUILDs >>> >>> Breaking away from an IRC convo from this morning; has support for >>> remote sums been considered for pacman? >>> It's currently possible to do this for .sig files (through the source >>> array), but not available for simple sha/md5 hashes. This would let >>> packagers do something like: >>> source=("http://example.com/downloads/$pkgname-$pkgver.tar.xz";) >>> sha1sums=("http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1";) >>> >>> (Of course, only for servers that generate a programmatically >>> discoverable hash of some sort; but it's not actually uncommon) >>> >>> J. Leclanche >> >> Couldn't you just do: >> sha1sums=("$(curl >> http://example.com/downloads/$pkgname-$pkgver.tar.xz.sha1)") >> >> It kind of defeats the purpose, though. If the server is hacked or someone >> does a MitM, they can easily replace the checksum file as well. >>
Let's be realistic here, you're not going to get all of the PKGBUILDs in the AUR signed with PGP.
