FS#52997 : [pass] pass PKGBUILD should use GPG signatures and HTTPS sources.

FS#52997 - [pass] pass PKGBUILD should use GPG signatures and HTTPS sources.

Attached to Project: Community Packages
Opened by Mortan (Mortan1961) - Friday, 17 February 2017, 14:53 GMT
Last edited by Lukas Fleischer (lfleischer) - Wednesday, 12 April 2017, 05:19 GMT

Task Type	Bug Report
Category	Packages
Status	Closed
Assigned To	Lukas Fleischer (lfleischer)
Architecture	All
Severity	Very Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	1 Mortan (Mortan1961) (2017-02-17)
Private	No

Details

https://www.archlinux.org/todo/use-gpg-signatures-and-https-sources/ does not list pass, but it does apply to it. Both an HTTPS source and a vaild GPG signature are available.

The PKGBUILD should read:
source=(https://git.zx2c4.com/password-store/snapshot/password-store-${pkgver}.tar.xz)
validpgpkeys=('AB9942E6D4A4CFC3412620A749FC7012A5DE03AE') #https://www.zx2c4.com/keys/AB9942E6D4A4CFC3412620A749FC7012A5DE03AE.asc

This task depends upon

Closed by Lukas Fleischer (lfleischer)
Wednesday, 12 April 2017, 05:19 GMT
Reason for closing: Not a bug

Comment by Doug Newgard (Scimmia) - Saturday, 18 February 2017, 06:14 GMT

There is no sig file as far as I can see, just signed tags. Until makepkg supports this, the pgpkey is useless; even once it does, it's pretty useless for the tarball.

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#52997 - [pass] pass PKGBUILD should use GPG signatures and HTTPS sources.

Details

Loading...