Arch Linux User Repository

The recipe you linked to (gotop-git) skips hashes. How is that better than md5sum?

Because hashes are calculated internally by git.

Again, is there a tutorial for this? I haven't seen anything in the documentation I've read that discusses github code signing and how that integrates with aur.

Code signing on github or elsewhere is a generic topic. To enable verifying signatures in PKGBUILD you need to two things: Add ?signed after git repo url in source() array:

git+https://<repo_url>?signed#tag=<tag>"

Add validpgpkeys() array:

validpgpkeys=('<full gpg fingerprint in upper case>'

You can take a look at official kernel PKGBUILD how it's done there: https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/linux&id=e95dd7f0bc971d06117aa8642e511291c8131c97

Also here's wiki article that repeats my point about integrity checking: https://wiki.archlinux.org/index.php/PKGBUILD#Integrity

The recipe you linked to (gotop-git) skips hashes. How is that better than md5sum?

Again, is there a tutorial for this? I haven't seen anything in the documentation I've read that discusses github code signing and how that integrates with aur.

Signing the packages is easily done, but harder to automate.

I didn't talk about signing packages but signing your code in github.

What I'm having difficulty understanding is that what I think I'm hearing is that someone is actually advocating an entirely manual process for building packages, and that can't be right.

In AUR case you don't build any packages, just publish recipe for that.

I already advised you to use git if you don't have the time for hash thing. You may take a look at gotop-git (https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=gotop-git) and just use stable tag instead of HEAD.

Which tutorial should I follow? The one I found and used was saying to use makepkg -g.

This confuses me; the binaries and the archives containing them are built by an automated CI system. So, what am I supposed to be not trusting here? I don't understand the "accepting whatever you just downloaded" comment.

Signing the packages is easily done, but harder to automate. What I'm having difficulty understanding is that what I think I'm hearing is that someone is actually advocating an entirely manual process for building packages, and that can't be right.

I think a pointer to a best-practices page would be great. Keep in mind that I'm not only upstream, but I'm also trying to help multiple distributions, of which Arch is only one. The fact that I'm an Arch user myself does not lessen the amount of work necessary to package a release, so while I'm happy to follow best practices, it needs to be automate-able.

@serxxx well, it's not recommended to use makepkg -g to calculate hash, especially if you are the upstream. The hashes should be calculated independently, otherwise you are accepting whatever you just downloaded.

If you don't care enough for calculating hashes upstream then you may switch to git sources instead of tarballs which use hashes internally. It would be best to sign tags/tarballs with gpg.

See also https://git.archlinux.org/pacman.git/commit/?id=21af79860403f9120d2c0412a95ec97d06368e11

@egrupled There was no decision; it's what makepkg -g and makepkg --printsrcinfo produce by default in the official @latest archlinux container. https://hub.docker.com/_/archlinux. I replaced a hand-rolled script with an official tool, and accepted what it generated.

Why?

@serxxx what was the reason behind changing sha256sum to md5sum in https://aur.archlinux.org/cgit/aur.git/commit/?h=gotop&id=0e5001a04dd82b1f41a54f7f494484a51c57369f ?

Thanks folks. I appreciate the smooth transition.

Yeah that sounds fair. It would be good then to switch the upstream in all of the gotop packages. It may also be good to add serxxx as a co-maintainer of the packages. I can add him to gotop-bin but he'll have to request co-maintainership for the other packages.