Hi, I would like to work on verifying git signed tags. So far I've actually managed to hack it into makepkg, but by missing a lot of edge cases and well writing an ugly implementation. [1] Some of this work has been borrowed from the systemd PKGBUILD. [2]
Example with vte3-ng:
==> Validating source files with md5sums...
vte-ng ... Skipped
==> Verifying source file signatures with gpg...
vte-ng ... Passed
Of course the hacks I've put in there are never going to be accepted
even if I bribe Allan with a case of bourbon.
I can think of the following issues, edge-cases which need to be
handled:
* git url, but no #tag= or #commit= specified, should verify HEAD on the
#branch or no tag, commit, branch case.
* Not parsing or tested invalid signed tags, not sure how git verify-tag
displays errors so that needs more work.
* I would like to move the git verification into source/git.sh.in and
then re-use the code which extracts #branch, #commit etc. It would
also reduce the clutter in verify_signature.sh.in. Another idea is to
move the verification into integrity/verify_git.sh.in.
* Changing the directory is cumbersome. git offers git -C $path
verify-tag $tag to resolve that.
* Multiple sources, .tar.gz{,asc} and a git one. (Rare but should be
handled) Or multiple git sources.
So tl;dr, I would love to see a pointer where I should call my own
verification function for git sources or any other edge-cases I've
missed :)
[1]
https://github.com/jelly/pacman/commit/5172a74ed9de422429d18034841acf8025fd34c8
[2]
https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/systemd
--
Jelle van der Waa
signature.asc
Description: PGP signature
