[Dev] New packaging standards/policy discussion

Luke g4jc at openmailbox.org
Thu Jul 30 23:05:51 GMT 2015 

Hmm... Currently I am unable to reproduce a human readable gpg output
that verifies the PKGBUILD was created by the packager when using the
git pull method. For me nothing displays:

user at localhost/packages/abslibre % git pull --rebase
--verify-signatures                                                                         

Current branch master is up to date.
user at localhost/packages/abslibre % git --version
git version 2.5.0

Whereas a GPG signed PKGBUILD displays this during build:
 |  ==> Verifying source file signatures with gpg...
 |      allmydata-tahoe-1.10.1.tar.bz2 ... Passed
 |      PKGBUILD ... Passed
and if you include gpg --verify in the PKGBUILD build() process, it will
say verified good signature in addition to that.

I also find this useful if I just want to build a single package instead
of downloading the entire git. I just download PKGBUILD and PKGBUILD.sig
then build from that.

On 07/30/2015 06:32 PM, fauno wrote:

> Luke <g4jc at openmailbox.org> writes:
>> 3) Sign the PKGBUILD with GPG:
>> gpg --default-key [YOURKEYID] -b PKGBUILD
>>
>> 4) Enable GPG signing in your gitconfig so that our commits are also
>> signed. I've added this one-liner to the wiki already and fauno is also
>> using it.
>> Then simply: git add -f PKGBUILD PKGBUILD.sig; git commit -m "pushing my
>> signed package with signed commit"; git push (same as before)
> i don't see why signing the pkgbuild is required when signing the whole
> commit achieves the same thing and is easily verifiable with: git pull
> --rebase --verify-signatures
>
> i'm ok with the other points
>
>
>
> _______________________________________________
> Dev mailing list
> Dev at lists.parabola.nu
> https://lists.parabola.nu/mailman/listinfo/dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150730/5d198ef2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20150730/5d198ef2/attachment.sig>

More information about the Dev mailing list