Wait a moment, you're fetching a specific release, then you shouldn't
suffix your package with -git [1]. Even more, you don't need git at all
in this case, as there's a tarball available including a signature
file. I'd recommend using xen-dev or something like that to indicate
you're fetching a testing release.
Just change the first instance of your source array to
source=("http://bits.xensource.com/oss-xen/release/${pkgver/_/-}/xen-${pkgver/_/-}.tar.gz"{,.sig}
(in one line) and regenerate sha256sums with updpkgsums. The signature
is checked automatically.
Moreover, the install file doesn't need to be listed in the source
array.
Regards,
Marcel
[1]
https://wiki.archlinux.org/index.php/VCS_PKGBUILD_Guidelines#Guidelines
