[LEDE-DEV] [question] gpg signature validation of source package

Felix Fietkau nbd at nbd.name
Thu May 11 00:27:38 PDT 2017


On 2017-05-11 09:16, Alif M. A. wrote:
> I am preparing for grub-2.02 package upgrade.
> 
> The download mirror provides a gpg signature (.sig file), which can be
> used to validate the source package.
> 
> Does LEDE build system have a way to verify source package using gpg
> signature? I'd rather use gpg verification if possible, rather than
> checksum verification.
There is no support for that, and I don't think it's a good idea to add
it. You don't gain any extra security advantage compared to putting in
the SHA256 hash of a file where you verified the .gpg signature yourself.

- Felix



More information about the Lede-dev mailing list