[U-Boot] [RFC] tools/buildman/toolchain.py: check signatures

Simon Glass sjg at chromium.org
Mon Jul 29 19:27:35 UTC 2019


Hi Heinrich,

On Mon, 29 Jul 2019 at 13:14, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>
> Hello Tom, hello Simon,
>
> when downloading toolchains with tools/buildman/toolchain.py or in our
> Dockerfile we do not check the integrity of the download.
>
> When I look at
> https://www.kernel.org/pub/tools/crosstool/files/bin
> I find a signature file for each tool.
>
> So shouldn't we first download the public keys with gpg, then download
> the tools and their signatures, and then check them against the keys?

Sounds reasonable to me, so long as gpg is installed, and we can add a
test for it.

Regards,
Simon


More information about the U-Boot mailing list