[Dev] [UNIFONT] package update

Wael Karram wael at waelk.tech
Mon Nov 28 11:18:54 GMT 2022


On Sun, 2022-11-27 at 09:20 -0500, bill-auger wrote:
> just to note that this PKGBUILD is still untidy
> 
> > #
> > source=("http://unifoundry.com/pub/unifont/unifont-$pkgver/unifont-$pkgver.t
> > ar.gz"{,.sig})
> > source=("
> > http://unifoundry.com/pub/unifont/unifont-$pkgver/unifont-$pkgver.tar.gz")
> > sha256sums=('7d11a924bf3c63ea7fdf2da2b96d6d4986435bedfd1e6816c8ac2e6db47634d
> > 5'
> > #             'SKIP')
> >             )
> > validpgpkeys=('95D2E9AB8740D8046387FD151A09227B1F435A33') # Paul Hardy
> 
> so validpgpkeys is populated, but is will not be used - why does it not
> download a signature file; but suggests that it should?

I figure it is there to verify that the signature matches what it should be.
It does compile without that though, but according to arch wiki I can't find how
to force verification.

Am I missing something here?
Relevant Arch Wiki section:
https://wiki.archlinux.org/title/Pkgbuild#validpgpkeys

Additionally I thought we can do without it, but the download is done over HTTP
and not HTTPS, so realistically it is better to verify that the signature
matches what we expect it to be before it is used to verify the downloaded
source files.


-- 
Kind Regards,
Wael Karram.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20221128/6a206cc7/attachment.sig>


More information about the Dev mailing list