[U-Boot] [RFC] tools/buildman/toolchain.py: check signatures
Heinrich Schuchardt
xypron.glpk at gmx.de
Mon Jul 29 20:27:41 UTC 2019
On 7/29/19 9:27 PM, Simon Glass wrote:
> Hi Heinrich,
>
> On Mon, 29 Jul 2019 at 13:14, Heinrich Schuchardt <xypron.glpk at gmx.de> wrote:
>>
>> Hello Tom, hello Simon,
>>
>> when downloading toolchains with tools/buildman/toolchain.py or in our
>> Dockerfile we do not check the integrity of the download.
>>
>> When I look at
>> https://www.kernel.org/pub/tools/crosstool/files/bin
>> I find a signature file for each tool.
>>
>> So shouldn't we first download the public keys with gpg, then download
>> the tools and their signatures, and then check them against the keys?
>
> Sounds reasonable to me, so long as gpg is installed, and we can add a
> test for it.
For other tools we simply assume that they are installed and do not have
different paths based on existence. So I think we only would have to add
the gnupg dependency to .travis.yml and Dockerfile before adjusting
buildman.
Regards
Heinrich
More information about the U-Boot
mailing list