FS#49228 - [bitcoin] pkgbuild not verifying upstream signature
Attached to Project:
Community Packages
Opened by ikohvei (ikohvei) - Friday, 06 May 2016, 02:20 GMT
Last edited by Timothy Redaelli (tredaelli) - Thursday, 30 June 2016, 14:04 GMT
Opened by ikohvei (ikohvei) - Friday, 06 May 2016, 02:20 GMT
Last edited by Timothy Redaelli (tredaelli) - Thursday, 30 June 2016, 14:04 GMT
|
Details
Both of these packages
- https://www.archlinux.org/packages/community/x86_64/bitcoin-qt/ - https://www.archlinux.org/packages/community/x86_64/bitcoin-cli/ use this build script - https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/bitcoin and the build script doesnt verify the upstream PGP signature. The signing key is available here, - https://bitcoin.org/en/download - https://bitcoin.org/bin/bitcoin-core-0.12.1/SHA256SUMS.asc - https://bitcoin.org/laanwj-releases.asc Here is an example of a build script that verifies the PGP signature. https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=tor-browser-en |
This task depends upon
Closed by Timothy Redaelli (tredaelli)
Thursday, 30 June 2016, 14:04 GMT
Reason for closing: Won't implement
Additional comments about closing: tor-browser and all the other packages are verifying the detached signature directly and not the SHA256SUMS.asc.
My procedure is to check this manually when I release a version.
Splitting packages is necessary since are different daemons with different dependencies
Thursday, 30 June 2016, 14:04 GMT
Reason for closing: Won't implement
Additional comments about closing: tor-browser and all the other packages are verifying the detached signature directly and not the SHA256SUMS.asc.
My procedure is to check this manually when I release a version.
Splitting packages is necessary since are different daemons with different dependencies
https://www.archlinux.org/packages/?sort=&q=bitcoin