Bob Hepple wrote: > If we _do_ support "signed git tags" how do we code for it in the spec > file? As the builders lack Internet access, they can't pull directly from the upstream Git repository. To verify a signed Git tag during the build, it would be necessary to package up the whole Git repository (or enough of it to include the source code, the tag and the signature) and upload that instead of the source tarball. Then I suppose you would unpack the repository in %prep and run some Git command to verify the signature, probably "git verify-tag" which is described as "check the GPG signature of tags". gpgverify uses the command gpgv instead of gpg. It's a simplified verification method that fits this usecase better. If Git calls gpg and expects to find a keyring in the user's home directory, then you'd have to write the spec to prepare a suitable keyring, ensure that GnuPG will find that and no other keyring, and tell it to trust the correct key. It's far from trivial to get that right and secure. I'm not aware of any tooling for this other than gpgverify, so I suppose the answer is that Fedora does not support signed Git tags. It should also be noted that with gpgverify we verify the signature before we unpack the tarball. If a malicious tarball tries to attack some vulnerability in Tar or Gzip, then either the verification will fail and stop the build before the attack gets a chance to work, or else the tarball was already malicious when the upstream developer signed it. With Git I don't know how we could avoid unpacking the repository archive before we verify the signed tag. As to why the builders lack Internet access, I wasn't around when that was decided but it helps ensure that the source RPM packages actually contain the source code. Björn Persson
Attachment:
pgpQ0kd1j7jPB.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
