ohai!I blogged about a new tool that can be used to verify a tarball from a signed git tag, while still pinning the sourcecode with >= sha256sum:
https://vulns.xyz/2022/05/auth-tarball-from-git/ Let me know what you think - that's all, kpcyrd
- auth-tarball-from-git: verifying signed git tags without s... kpcyrd
- [arch-dev-public] Re: auth-tarball-from-git: verifyin... Archange
- Re: auth-tarball-from-git: verifying signed git tags ... David Runge
- [arch-dev-public] Re: auth-tarball-from-git: veri... Archange
- Re: [arch-dev-public] Re: auth-tarball-from-g... Jonas Witschel
- Re: [arch-dev-public] Re: auth-tarball-fr... Morten Linderud
- Re: [arch-dev-public] Re: auth-tarball-fr... Allan McRae
- Re: [arch-dev-public] Re: auth-tarba... Jonas Witschel
