29 Jul
2019
29 Jul
'19
9:27 p.m.
Hi Heinrich,
On Mon, 29 Jul 2019 at 13:14, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
Hello Tom, hello Simon,
when downloading toolchains with tools/buildman/toolchain.py or in our Dockerfile we do not check the integrity of the download.
When I look at https://www.kernel.org/pub/tools/crosstool/files/bin I find a signature file for each tool.
So shouldn't we first download the public keys with gpg, then download the tools and their signatures, and then check them against the keys?
Sounds reasonable to me, so long as gpg is installed, and we can add a test for it.
Regards, Simon