From: john at keeping.me.uk (John Keeping)
Subject: [PATCH] Check SHA256 sum of git-$VER.tar.gz after downloading
Date: Mon, 9 Mar 2015 20:49:46 +0000 [thread overview]
Message-ID: <20150309204901.GL1369@serenity.lan> (raw)
In-Reply-To: <20150309193929.GW3567@zaya.teonanacatl.net>
On Mon, Mar 09, 2015 at 03:39:29PM -0400, Todd Zullinger wrote:
> Those on the list can check the PGP signature on the announcement mail
> and then use the included SHA1 to check the tarball, but doing that as
> a non-list member isn't as easy due to many list archives stripping or
> mangling PGP signatures. I tried doing this with the 0.11
> announcement from the Mailman and Gmane archives now and wasn't
> successful.
It turns out that GMane mangles the list address in the message, so it
is possible to validate it but it's not straightforward:
curl http://article.gmane.org/gmane.comp.version-control.cgit/2387/raw |
sed -e 's/cgit[^ ]*@public.gmane.org/cgit at lists.zx2c4.com/' |
gpg --verify
> Posting a detached PGP signature for the tarball would improve the
> ability for users to trust and verify the cgit tarball. It's not a
> blocker for your patch, but it would make it significantly more
> useful, so I thought I would broach the subject. ;)
It seems that Jason currently relies on CGit to generate the tarballs by
pointing to http://git.zx2c4.com/cgit/refs/tags, which means that a
signature isn't guaranteed to remain correct (Git has subtly changed the
tar encoding in the past and could do so again).
There's a recent thread on the Git mailing list about a way to handle
this better[0], but there isn't any code yet AFAIK.
[0] http://thread.gmane.org/gmane.comp.version-control.git/264533
next prev parent reply other threads:[~2015-03-09 20:49 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-07 14:46 john
2015-03-07 15:59 ` cgit
2015-03-07 17:02 ` john
2015-03-07 17:49 ` cgit
2015-03-07 18:20 ` john
2015-03-07 23:35 ` tmz
2015-03-08 10:45 ` john
2015-03-09 19:39 ` tmz
2015-03-09 20:49 ` john [this message]
2015-03-09 22:32 ` Jason
2015-03-09 22:34 ` Jason
2015-03-09 22:30 ` Jason
2015-03-09 22:42 ` tmz
2015-03-11 15:25 ` mricon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150309204901.GL1369@serenity.lan \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).