You are not logged in.

#1 2019-12-15 16:31:04

seberm
Member
Registered: 2019-12-15
Posts: 2

[SOLVED] How to verify signature saved in git tag/commit

Hello,
is it possible to somehow verify the signature in git tag/commit?

For example I have this repository:
- https://github.com/QubesOS/qubes-app-li … ag/v2.0.42

Unfortunately this project does not have signed whole source-code archives but it has signed commits and tags. It's recommended to check these signatures against Qubes Master Signing Key.

The PKGBUILD could be following:

pkgname=qubes-gpg-split
_gitname=${pkgname%-git*}
pkgver=2.0.42
pkgrel=1
validpgpkeys=('0AF64C3B1F1214B38C8C57861FA2DBE674387CC3'  # Otto Sabart
              '0064428F455451B3EBE78A7F063938BA42CFA724'  # Marek Marczykowski-Górecki
              '427F11FD0FAA4B080123F01CDDFA1A3E36879494'  # Qubes Master Signing Key
)

source=("$_gitname::git+https://github.com/QubesOS/qubes-app-linux-split-gpg.git#tag=v${pkgver}")
sha512sums=('SKIP')

build() { ... }
package() { ... }

But I can't see that the PGP signatures are verified in the output of makepkg:

$ makepkg
...
==> Validating source files with sha512sums...
    qubes-gpg-split ... Skipped
==> Extracting sources...
  -> Creating working copy of qubes-gpg-split git repo...
...

I looked into the code of makepkg and it seems there *is* support for a git signature verification (function called `verify_git_signature`). So, why is it not working?

What am I doing wrong?

Thank you!
Ota

Last edited by seberm (2020-01-03 13:33:36)

Offline

#2 2019-12-15 22:34:24

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 7,513

Re: [SOLVED] How to verify signature saved in git tag/commit

Check the pkgbuild man page, the VCS Sources section

Offline

#3 2019-12-17 22:01:35

seberm
Member
Registered: 2019-12-15
Posts: 2

Re: [SOLVED] How to verify signature saved in git tag/commit

Oh, thank you! I misread the PKGBUILD documentation.

Now everything works as expected. The example is here.

validpgpkeys=('0AF64C3B1F1214B38C8C57861FA2DBE674387CC3'  # Otto Sabart
              '0064428F455451B3EBE78A7F063938BA42CFA724'  # Marek Marczykowski-Górecki
              '427F11FD0FAA4B080123F01CDDFA1A3E36879494'  # Qubes Master Signing Key
)

source=("$_gitname::git+https://github.com/QubesOS/qubes-app-linux-split-gpg.git?signed#tag=v${pkgver}")
sha512sums=('SKIP')

Offline

Board footer

Powered by FluxBB