[PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
John Keeping
john at keeping.me.uk
Mon Mar 9 21:49:46 CET 2015
On Mon, Mar 09, 2015 at 03:39:29PM -0400, Todd Zullinger wrote:
> Those on the list can check the PGP signature on the announcement mail
> and then use the included SHA1 to check the tarball, but doing that as
> a non-list member isn't as easy due to many list archives stripping or
> mangling PGP signatures. I tried doing this with the 0.11
> announcement from the Mailman and Gmane archives now and wasn't
> successful.
It turns out that GMane mangles the list address in the message, so it
is possible to validate it but it's not straightforward:
curl http://article.gmane.org/gmane.comp.version-control.cgit/2387/raw |
sed -e 's/cgit[^ ]*@public.gmane.org/cgit at lists.zx2c4.com/' |
gpg --verify
> Posting a detached PGP signature for the tarball would improve the
> ability for users to trust and verify the cgit tarball. It's not a
> blocker for your patch, but it would make it significantly more
> useful, so I thought I would broach the subject. ;)
It seems that Jason currently relies on CGit to generate the tarballs by
pointing to http://git.zx2c4.com/cgit/refs/tags, which means that a
signature isn't guaranteed to remain correct (Git has subtly changed the
tar encoding in the past and could do so again).
There's a recent thread on the Git mailing list about a way to handle
this better[0], but there isn't any code yet AFAIK.
[0] http://thread.gmane.org/gmane.comp.version-control.git/264533
More information about the CGit
mailing list