<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-text-plain" wrap="true" graphical-quote="true"
style="font-family: -moz-fixed; font-size: 12px;" lang="x-western">
<pre wrap="">Hmm... Currently I am unable to reproduce a human readable gpg output
that verifies the PKGBUILD was created by the packager when using the
git pull method. For me nothing displays:
user@localhost/packages/abslibre % git pull --rebase
--verify-signatures
Current branch master is up to date.
user@localhost/packages/abslibre % git --version
git version 2.5.0
Whereas a GPG signed PKGBUILD displays this during build:
| ==> Verifying source file signatures with gpg...
| allmydata-tahoe-1.10.1.tar.bz2 ... Passed
| PKGBUILD ... Passed
and if you include gpg --verify in the PKGBUILD build() process, it will
say verified good signature in addition to that.
I also find this useful if I just want to build a single package instead
of downloading the entire git. I just download PKGBUILD and PKGBUILD.sig
then build from that.
On 07/30/2015 06:32 PM, fauno wrote:
</pre>
<blockquote type="cite" style="color: #000000;">
<pre wrap="">Luke <a class="moz-txt-link-rfc2396E" href="mailto:g4jc@openmailbox.org"><g4jc@openmailbox.org></a> writes:
</pre>
<blockquote type="cite" style="color: #000000;">
<pre wrap="">3) Sign the PKGBUILD with GPG:
gpg --default-key [YOURKEYID] -b PKGBUILD
4) Enable GPG signing in your gitconfig so that our commits are also
signed. I've added this one-liner to the wiki already and fauno is also
using it.
Then simply: git add -f PKGBUILD PKGBUILD.sig; git commit -m "pushing my
signed package with signed commit"; git push (same as before)
</pre>
</blockquote>
<pre wrap="">i don't see why signing the pkgbuild is required when signing the whole
commit achieves the same thing and is easily verifiable with: git pull
--rebase --verify-signatures
i'm ok with the other points
_______________________________________________
Dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Dev@lists.parabola.nu">Dev@lists.parabola.nu</a>
<a class="moz-txt-link-freetext" href="https://lists.parabola.nu/mailman/listinfo/dev">https://lists.parabola.nu/mailman/listinfo/dev</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</div>
</body>
</html>