On Mon, Mar 09, 2015 at 03:39:29PM -0400, Todd Zullinger wrote:
> Those on the list can check the PGP signature on the announcement mail 
> and then use the included SHA1 to check the tarball, but doing that as 
> a non-list member isn't as easy due to many list archives stripping or 
> mangling PGP signatures.  I tried doing this with the 0.11 
> announcement from the Mailman and Gmane archives now and wasn't 
> successful.

It turns out that GMane mangles the list address in the message, so it
is possible to validate it but it's not straightforward:

        curl http://article.gmane.org/gmane.comp.version-control.cgit/2387/raw |
        sed -e 's/cgit[^ ]*@public.gmane.org/cgit@lists.zx2c4.com/' |
        gpg --verify

> Posting a detached PGP signature for the tarball would improve the 
> ability for users to trust and verify the cgit tarball.  It's not a 
> blocker for your patch, but it would make it significantly more 
> useful, so I thought I would broach the subject. ;)

It seems that Jason currently relies on CGit to generate the tarballs by
pointing to http://git.zx2c4.com/cgit/refs/tags, which means that a
signature isn't guaranteed to remain correct (Git has subtly changed the
tar encoding in the past and could do so again).

There's a recent thread on the Git mailing list about a way to handle
this better[0], but there isn't any code yet AFAIK.

[0] http://thread.gmane.org/gmane.comp.version-control.git/264533
_______________________________________________
CGit mailing list
CGit@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/cgit

Reply via email to