Hmm... Currently I am unable to reproduce a human readable gpg output that verifies the PKGBUILD was created by the packager when using the git pull method. For me nothing displays:
user@localhost/packages/abslibre % git pull --rebase
--verify-signatures
Current branch master is up to date.
user@localhost/packages/abslibre % git --version
git version 2.5.0
Whereas a GPG signed PKGBUILD displays this during build:
| ==> Verifying source file signatures with gpg...
| allmydata-tahoe-1.10.1.tar.bz2 ... Passed
| PKGBUILD ... Passed
and if you include gpg --verify in the PKGBUILD build() process, it will
say verified good signature in addition to that.
I also find this useful if I just want to build a single package instead
of downloading the entire git. I just download PKGBUILD and PKGBUILD.sig
then build from that.
On 07/30/2015 06:32 PM, fauno wrote:
> Luke <[email protected]> writes:
>> 3) Sign the PKGBUILD with GPG:
>> gpg --default-key [YOURKEYID] -b PKGBUILD
>>
>> 4) Enable GPG signing in your gitconfig so that our commits are also
>> signed. I've added this one-liner to the wiki already and fauno is also
>> using it.
>> Then simply: git add -f PKGBUILD PKGBUILD.sig; git commit -m "pushing my
>> signed package with signed commit"; git push (same as before)
> i don't see why signing the pkgbuild is required when signing the whole
> commit achieves the same thing and is easily verifiable with: git pull
> --rebase --verify-signatures
>
> i'm ok with the other points
>
>
>
> _______________________________________________
> Dev mailing list
> [email protected]
> https://lists.parabola.nu/mailman/listinfo/dev
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
