On 21/08/15 11:12, Thomas Koch wrote: > Sometimes we are lucky and upstream uses signed git tags. That still does not > help us to verify the orig.tar.gz. It can however still be very useful. >
Hi Thomas, In case you're intrested, I've tried to reproduce a "git archive" style tarball (for example, as generated by github) from a gpg-signed tag. This should at least imply some kind of trust. Basically do (assuming you have some WOT toward the signer's key) (1) git clone (2) git tag --verify v1.31 (3) git archive v1.31 --prefix="projectname-1.31/" --format=tar | gzip -n > projectname-1.31.tar.gz The produced tarball will be exactly the same as the github-generated tarball, so if you use this as .orig.tar.gz, embedding the checksum into your signed debian-changes file, you can use github's mirror safely and should not have to worry about man-in-the-middle attacks. Since you now have a direct correlation between signed+verified tag and (locally, on your trusted system, regenerated) orig.tar.gz from this very tag, does this help? - Danny
