Historical bug tracker for the Pacman package manager.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
The pacman bug tracker has moved to gitlab:
https://gitlab.archlinux.org/pacman/pacman/-/issues
This tracker remains open for interaction with historical bugs during the transition period. Any new bugs reports will be closed without further action.
FS#59588 - Implement signature check for git tags/commits
Attached to Project:
Pacman
Opened by Pascal Ernster (hardfalcon) - Thursday, 09 August 2018, 12:34 GMT
Last edited by Allan McRae (Allan) - Thursday, 09 August 2018, 12:41 GMT
Opened by Pascal Ernster (hardfalcon) - Thursday, 09 August 2018, 12:34 GMT
Last edited by Allan McRae (Allan) - Thursday, 09 August 2018, 12:41 GMT
|
DetailsIt would be cool if there was a way to have makepkg check the key fingerprints of signed git tags/commits against the fingerprints in the validpgpkeys array.
To cover cases where multiple git sources are used but not all of them carry signatures, a mechanism would be needed to differentiate between signed and unsigned sources. One option to achieve this might be a URL prefix "git-signed+", similar to the already existing "git+". |
This task depends upon
"Allows specifying whether a VCS checkout should be
checked for PGP-signed revisions. The source line should have the
format source=(url#fragment?signed) or
source=(url?signed#fragment). Currently only supported by Git."