[BUG] binman does not check signature of toolchain
Simon Glass
sjg at chromium.org
Wed Oct 27 16:05:28 CEST 2021
Hi Heinrich,
On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt
<heinrich.schuchardt at canonical.com> wrote:
>
> Downloading binaries and executing without checking the authenticity is
> at least unwise.
>
> When binman downloads GCC it should also download and verify the GPG
> signatures.
>
> Additionally binman could hold a list of the SHA256 hashes of all
> binaries in question for a further check.
Buildman? Yes that sounds like a nice feature. Did you hit a problem,
or just come up with this idea? You could try the new issue tracker!
Regards,
Simon
More information about the U-Boot
mailing list