FS#76611 - [cmake] use signed git tag

Attached to Project: Arch Linux
Opened by T.J. Townsend (blakkheim) - Thursday, 17 November 2022, 18:19 GMT
Last edited by Antonio Rojas (arojas) - Friday, 26 May 2023, 20:02 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Antonio Rojas (arojas)
Felix Yan (felixonmars)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The attached diff switches the cmake PKGBUILD to use a PGP-signed git tag for authenticity.

Additional info:
I also tried to get upstream to sign the tarballs we currently use but was unsuccessful.
   cmake.diff (1.3 KiB)
This task depends upon

Closed by  Antonio Rojas (arojas)
Friday, 26 May 2023, 20:02 GMT
Reason for closing:  Fixed
Additional comments about closing:  157fa063a96e5d1bf3d751135ec5766b8295f2d0
Comment by T.J. Townsend (blakkheim) - Thursday, 17 November 2022, 18:25 GMT
Or an alternate diff that uses their Gitlab instead of Github (slower, but technically upstream)
   cmake-v2.diff (1.3 KiB)
Comment by T.J. Townsend (blakkheim) - Wednesday, 28 December 2022, 01:05 GMT
Ping
Comment by T.J. Townsend (blakkheim) - Thursday, 19 January 2023, 20:13 GMT
Updated diff for 3.25.2
   cmake.diff (1.3 KiB)
Comment by T.J. Townsend (blakkheim) - Wednesday, 08 March 2023, 19:10 GMT
Updated diff for 3.25.3

(uses tag=v${pkgver} instead of a commit ID for the maintainer's convenience this time, since the former doesn't seem to be wanted)
   cmake.diff (1.5 KiB)
Comment by T.J. Townsend (blakkheim) - Monday, 22 May 2023, 18:53 GMT
FWIW upstream dev Brad King just explicitly refused my inquiry about providing detached signatures to the tarball, so this is the only way we can get authenticity for cmake sources.

"No, sorry. Please fetch the .txt, check its signature, and use it to verify the hash of the real tarball."

Loading...