[BUG] buildman does not check signature of toolchain

Heinrich Schuchardt heinrich.schuchardt at canonical.com
Wed Oct 27 16:22:59 CEST 2021

On 10/27/21 16:05, Simon Glass wrote:
> Hi Heinrich,
> On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt
> <heinrich.schuchardt at canonical.com> wrote:
>> Downloading binaries and executing without checking the authenticity is
>> at least unwise.
>> When binman downloads GCC it should also download and verify the GPG
>> signatures.
>> Additionally binman could hold a list of the SHA256 hashes of all
>> binaries in question for a further check.
> Buildman? Yes that sounds like a nice feature. Did you hit a problem,
> or just come up with this idea? You could try the new issue tracker!


I have seen this script downloading binaries and executing them on my 
machine without verification. This makes me feel insecure.

test/run invokes buildman.

The same is true for tools/docker/Dockerfile. As Docker does not use its 
own kernel you should avoid running untrusted binaries in a container.

Best regards


More information about the U-Boot mailing list