[BUG] binman does not check signature of toolchain

Heinrich Schuchardt heinrich.schuchardt at canonical.com
Tue Oct 26 21:42:55 CEST 2021

Downloading binaries and executing without checking the authenticity is 
at least unwise.

When binman downloads GCC it should also download and verify the GPG 

Additionally binman could hold a list of the SHA256 hashes of all 
binaries in question for a further check.

Best regards


More information about the U-Boot mailing list