[LEDE-DEV] [question] gpg signature validation of source package
Alif M. A.
alive4ever at live.com
Thu May 11 06:34:25 PDT 2017
On 11/05/2017 14:27, Felix Fietkau wrote:
> On 2017-05-11 09:16, Alif M. A. wrote:
>> I am preparing for grub-2.02 package upgrade.
>>
>> The download mirror provides a gpg signature (.sig file), which can be
>> used to validate the source package.
>>
>> Does LEDE build system have a way to verify source package using gpg
>> signature? I'd rather use gpg verification if possible, rather than
>> checksum verification.
> There is no support for that, and I don't think it's a good idea to add
> it. You don't gain any extra security advantage compared to putting in
> the SHA256 hash of a file where you verified the .gpg signature yourself.
>
> - Felix
>
I'll just verify the signature myself and provide the checksum as usual.
Thanks for the explanation.
More information about the Lede-dev
mailing list