29 Jul
2019
29 Jul
'19
9:14 p.m.
Hello Tom, hello Simon,
when downloading toolchains with tools/buildman/toolchain.py or in our Dockerfile we do not check the integrity of the download.
When I look at https://www.kernel.org/pub/tools/crosstool/files/bin I find a signature file for each tool.
So shouldn't we first download the public keys with gpg, then download the tools and their signatures, and then check them against the keys?
Best regards
Heinrich