Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#52997 - [pass] pass PKGBUILD should use GPG signatures and HTTPS sources.
Attached to Project:
Community Packages
Opened by Mortan (Mortan1961) - Friday, 17 February 2017, 14:53 GMT
Last edited by Lukas Fleischer (lfleischer) - Wednesday, 12 April 2017, 05:19 GMT
Opened by Mortan (Mortan1961) - Friday, 17 February 2017, 14:53 GMT
Last edited by Lukas Fleischer (lfleischer) - Wednesday, 12 April 2017, 05:19 GMT
|
Details https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/ does not list pass, but it does apply to it. Both an HTTPS source and a vaild GPG signature are available.
The PKGBUILD should read: source=(https://git.zx2c4.com/password-store/snapshot/password-store-${pkgver}.tar.xz) validpgpkeys=('AB9942E6D4A4CFC3412620A749FC7012A5DE03AE') #https://www.zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc |
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Wednesday, 12 April 2017, 05:19 GMT
Reason for closing: Not a bug
Wednesday, 12 April 2017, 05:19 GMT
Reason for closing: Not a bug
Comment by Doug Newgard (Scimmia) -
Saturday, 18 February 2017, 06:14 GMT
There is no sig file as far as I can see, just signed tags. Until makepkg supports this, the pgpkey is useless; even once it does, it's pretty useless for the tarball.