FS#70325 - [nodejs] use signed git tag
Attached to Project:
Community Packages
Opened by T.J. Townsend (blakkheim) - Wednesday, 07 April 2021, 01:01 GMT
Last edited by Jelle van der Waa (jelly) - Sunday, 17 September 2023, 09:02 GMT
Opened by T.J. Townsend (blakkheim) - Wednesday, 07 April 2021, 01:01 GMT
Last edited by Jelle van der Waa (jelly) - Sunday, 17 September 2023, 09:02 GMT
|
Details
Description:
Attached diff switches the nodejs package to a PGP-signed git tag for authenticity. |
This task depends upon
Closed by Jelle van der Waa (jelly)
Sunday, 17 September 2023, 09:02 GMT
Reason for closing: Deferred
Sunday, 17 September 2023, 09:02 GMT
Reason for closing: Deferred
They do provide a PGP-signed SHASUMS256.txt but we can't use indirectly signed manifests in makepkg
I think the best solution here is to open a ticket with the nodejs team asking them to, in addition to signing the checksum file, also sign the tarballs themselves.