Re: use signed git tags to verify upstream tarball
On 21/08/15 11:12, Thomas Koch wrote:
> Sometimes we are lucky and upstream uses signed git tags. That still does not
> help us to verify the orig.tar.gz. It can however still be very useful.
>
Hi Thomas,
In case you're intrested, I've tried to reproduce a "git archive" style
tarball (for example, as generated by github) from a gpg-signed tag.
This should at least imply some kind of trust.
Basically do (assuming you have some WOT toward the signer's key)
(1) git clone
(2) git tag --verify v1.31
(3) git archive v1.31 --prefix="projectname-1.31/" --format=tar | gzip
-n > projectname-1.31.tar.gz
The produced tarball will be exactly the same as the github-generated
tarball, so if you use this as .orig.tar.gz, embedding the checksum into
your signed debian-changes file, you can use github's mirror safely and
should not have to worry about man-in-the-middle attacks.
Since you now have a direct correlation between signed+verified tag and
(locally, on your trusted system, regenerated) orig.tar.gz from this
very tag, does this help?
- Danny
Reply to: