Enhance livecheck to check not only version but also checksums

[Ryan Schmidt]

On Mar 20, 2018, at 09:26, Mojca Miklavec wrote:

> On 20 March 2018 at 00:59, Ryan Schmidt wrote:
>> It's been pointed out before than when updating a port to a new version, one should not just update the version and checksums in the portfile; one should also verify at least one of those checksums with the ones published by the developers -- assuming the developers publish them.
>> 
>> It would be great if livecheck could help us with that. So in addition to specifying the current livecheck.url and livecheck.regex for extracting an available new version number, there should be new options where a port could specify a url for a page where that new version's checksums are published, and regexes for extracting them.
>> 
>> Once that's done, it makes it easier to implement a better "bump" command -- one that can use any published checksums and compute the rest, and warn if no checksums were published.
>> 
>> https://trac.macports.org/ticket/53851
>> 
>> One possibile interface:
>> 
>> default livechecksum.type {none}
>> default livechecksum.url {${livecheck.url}}
>> default livechecksum.ignore_sslcert {${livecheck.ignore_sslcert}
>> 
>> default livechecksum.md5 {the first distfile's md5}
>> default livechecksum.md5.url {${livechecksum.url}}
>> default livechecksum.md5.ignore_sslcert {${livechecksum.ignore_sslcert}}
>> default livechecksum.md5.regex {""}
>> 
>> (repeat for the other checksum types sha1, rmd160, sha256, sha512, and maybe size)
> 
> Do you also want to support signatures then?
> Public keys are pretty long though, but they usually don't change.
> 
> One example: https://waf.io

I have given no thought to the question of adding the ability for MacPorts to verify signatures. If you want to discuss it, I'd prefer you open a separate thread so we can keep this thread focused on livecheck improvements.