[PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

John Keeping john at keeping.me.uk
Mon Mar 9 21:49:46 CET 2015

On Mon, Mar 09, 2015 at 03:39:29PM -0400, Todd Zullinger wrote:
> Those on the list can check the PGP signature on the announcement mail 
> and then use the included SHA1 to check the tarball, but doing that as 
> a non-list member isn't as easy due to many list archives stripping or 
> mangling PGP signatures.  I tried doing this with the 0.11 
> announcement from the Mailman and Gmane archives now and wasn't 
> successful.

It turns out that GMane mangles the list address in the message, so it
is possible to validate it but it's not straightforward:

	curl http://article.gmane.org/gmane.comp.version-control.cgit/2387/raw |
	sed -e 's/cgit[^ ]*@public.gmane.org/cgit at lists.zx2c4.com/' |
	gpg --verify

> Posting a detached PGP signature for the tarball would improve the 
> ability for users to trust and verify the cgit tarball.  It's not a 
> blocker for your patch, but it would make it significantly more 
> useful, so I thought I would broach the subject. ;)

It seems that Jason currently relies on CGit to generate the tarballs by
pointing to http://git.zx2c4.com/cgit/refs/tags, which means that a
signature isn't guaranteed to remain correct (Git has subtly changed the
tar encoding in the past and could do so again).

There's a recent thread on the Git mailing list about a way to handle
this better[0], but there isn't any code yet AFAIK.

[0] http://thread.gmane.org/gmane.comp.version-control.git/264533

More information about the CGit mailing list