[PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading

Konstantin Ryabitsev mricon at kernel.org
Wed Mar 11 16:25:20 CET 2015

On 07/03/15 01:20 PM, John Keeping wrote:
> I still think we can't rely on `gpg --recv-keys` though, we would have
> to distribute the key with CGit and possible also do something to avoid
> importing it into the user's keyring by default.

Here's 2 Canadian cents from the guy who is in charge of putting those
.sign files in place. :)

You can do it this way:

1. Create a pubring with Junio's key in it, like so:
   gpg --export 96AFE6CB > gitsig.gpg
2. Distribute gitsig.gpg with cgit
3. In the makefile, do something like this (e.g. for git-2.3.2):

xz -cd git-2.3.2.tar.xz | gpgv --homedir=/tmp --keyring=./gitsig.gpg
--status-fd=1 git-2.3.2.tar.sign - | grep '^\[GNUPG:\] GOODSIG'

If the last grep exits with 0, you're good.

Note, that the "grep GOODSIG" part is important if you care to check for
key expiration. Default gpgv behaviour is to exit with 0 even if the key
used to sign the archive has long since expired or has been revoked
(yeah!). Grepping for "GOODSIG" will do the right thing but will also
break your builds when Junio's key expires in September. :)

If you don't care about such levels of paranoia, you can omit the "grep"
and --status-fd=1 part and just rely on gpgv exit code. It's good enough
for most people.

Extra note: instead of using --homedir=/tmp, use a temporary dir created
during make, in order to avoid potential security risks with someone
spiking /tmp with a pubring.gpg.

Hope this helps.

Konstantin Ryabitsev
Linux Foundation Collab Projects
Montréal, Québec

More information about the CGit mailing list