[LEDE-DEV] [question] gpg signature validation of source package
Felix Fietkau
nbd at nbd.name
Thu May 11 00:27:38 PDT 2017
On 2017-05-11 09:16, Alif M. A. wrote:
> I am preparing for grub-2.02 package upgrade.
>
> The download mirror provides a gpg signature (.sig file), which can be
> used to validate the source package.
>
> Does LEDE build system have a way to verify source package using gpg
> signature? I'd rather use gpg verification if possible, rather than
> checksum verification.
There is no support for that, and I don't think it's a good idea to add
it. You don't gain any extra security advantage compared to putting in
the SHA256 hash of a file where you verified the .gpg signature yourself.
- Felix
More information about the Lede-dev
mailing list