You are not logged in.
- Topics: Active | Unanswered
#1 2019-12-15 16:31:04
- seberm
- Member
- Registered: 2019-12-15
- Posts: 2
[SOLVED] How to verify signature saved in git tag/commit
Hello,
is it possible to somehow verify the signature in git tag/commit?
For example I have this repository:
- https://github.com/QubesOS/qubes-app-li … ag/v2.0.42
Unfortunately this project does not have signed whole source-code archives but it has signed commits and tags. It's recommended to check these signatures against Qubes Master Signing Key.
The PKGBUILD could be following:
pkgname=qubes-gpg-split
_gitname=${pkgname%-git*}
pkgver=2.0.42
pkgrel=1
validpgpkeys=('0AF64C3B1F1214B38C8C57861FA2DBE674387CC3' # Otto Sabart
'0064428F455451B3EBE78A7F063938BA42CFA724' # Marek Marczykowski-Górecki
'427F11FD0FAA4B080123F01CDDFA1A3E36879494' # Qubes Master Signing Key
)
source=("$_gitname::git+https://github.com/QubesOS/qubes-app-linux-split-gpg.git#tag=v${pkgver}")
sha512sums=('SKIP')
build() { ... }
package() { ... }But I can't see that the PGP signatures are verified in the output of makepkg:
$ makepkg
...
==> Validating source files with sha512sums...
qubes-gpg-split ... Skipped
==> Extracting sources...
-> Creating working copy of qubes-gpg-split git repo...
...I looked into the code of makepkg and it seems there *is* support for a git signature verification (function called `verify_git_signature`). So, why is it not working?
What am I doing wrong?
Thank you!
Ota
Last edited by seberm (2020-01-03 13:33:36)
Offline
#2 2019-12-15 22:34:24
- Scimmia
- Fellow
- Registered: 2012-09-01
- Posts: 11,544
Re: [SOLVED] How to verify signature saved in git tag/commit
Check the pkgbuild man page, the VCS Sources section
Offline
#3 2019-12-17 22:01:35
- seberm
- Member
- Registered: 2019-12-15
- Posts: 2
Re: [SOLVED] How to verify signature saved in git tag/commit
Oh, thank you! I misread the PKGBUILD documentation.
Now everything works as expected. The example is here.
validpgpkeys=('0AF64C3B1F1214B38C8C57861FA2DBE674387CC3' # Otto Sabart
'0064428F455451B3EBE78A7F063938BA42CFA724' # Marek Marczykowski-Górecki
'427F11FD0FAA4B080123F01CDDFA1A3E36879494' # Qubes Master Signing Key
)
source=("$_gitname::git+https://github.com/QubesOS/qubes-app-linux-split-gpg.git?signed#tag=v${pkgver}")
sha512sums=('SKIP')Offline