On 05/01/15 12:28 PM, Leonid Isaev wrote:
> On Mon, Jan 05, 2015 at 10:16:10AM +0100, Christian Hesse wrote:
>> I do not think we need HTTPS, though it does not hurt. If anybody tries to
>> fool us with man-in-the-middle via HTTP we should detect that just fine with
>> broken signatures (given signatures are provided...).
>>
>> Appending .sign may help as well. In fact for an example file archive.tar.xz
>> we may want to check for {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign}
>>
>> $ export FILE=archive.tar.xz
>> $ echo {${FILE},${FILE%.(xz|bz2|gz)}}.{asc,sig,sign}
>> archive.tar.xz.asc
>> archive.tar.xz.sig
>> archive.tar.xz.sign
>> archive.tar.asc
>> archive.tar.sig
>> archive.tar.sign
>
> Does makepkg(8) know how to check sigs of .tar files as opposed to .tar.xz?
Yes, it learned how to do that in the most recent release.
Attachment:
signature.asc
Description: OpenPGP digital signature
