It would be nice to add to `git-r3.eclass` the possibility for verifying signature of tags pointing at fetched HEAD. In case of no-signed tag found, refuse and abort the emerge.
This would be an interesting feature but I'm afraid a low priority one (live ebuilds will never be acceptable to become ~arch in ::gentoo). How would you see it working? Including the public key in ebuild, making the eclass fetch it from some keyserver?
(In reply to Michał Górny from comment #1) > This would be an interesting feature but I'm afraid a low priority one (live > ebuilds will never be acceptable to become ~arch in ::gentoo). How would > you see it working? Including the public key in ebuild, making the eclass > fetch it from some keyserver? For example, take a look to the Qubes overlay I'm working on: https://github.com/fepitre/qubes-gentoo where I put keys folder there, the eclass for checking signature https://github.com/fepitre/qubes-gentoo/blob/master/eclass/qubes.eclass and I'm calling the function from the eclass for example here: https://github.com/fepitre/qubes-gentoo/blob/95f29876b5b22d233fc6d3ebcd965ea35dd04ad4/app-emulation/qubes-core-agent-linux/qubes-core-agent-linux-4.1.14-r1.ebuild#L44 So the option could be to use specific path for key to look for or using keyserver. Generally, I'm more on the first solution due to random reliability of keyserver. That's notably why I need to use "sync-openpgp-key-refresh = false" in the overlay conf and why I asked some ideas in https://forums.gentoo.org/viewtopic-t-1116440.html. I would also be happy to help in this task.
