[U-Boot] [RFC] tools/buildman/toolchain.py: check signatures
Hello Tom, hello Simon,
when downloading toolchains with tools/buildman/toolchain.py or in our Dockerfile we do not check the integrity of the download.
When I look at https://www.kernel.org/pub/tools/crosstool/files/bin I find a signature file for each tool.
So shouldn't we first download the public keys with gpg, then download the tools and their signatures, and then check them against the keys?
Best regards
Heinrich
Hi Heinrich,
On Mon, 29 Jul 2019 at 13:14, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
Hello Tom, hello Simon,
when downloading toolchains with tools/buildman/toolchain.py or in our Dockerfile we do not check the integrity of the download.
When I look at https://www.kernel.org/pub/tools/crosstool/files/bin I find a signature file for each tool.
So shouldn't we first download the public keys with gpg, then download the tools and their signatures, and then check them against the keys?
Sounds reasonable to me, so long as gpg is installed, and we can add a test for it.
Regards, Simon
On 7/29/19 9:27 PM, Simon Glass wrote:
Hi Heinrich,
On Mon, 29 Jul 2019 at 13:14, Heinrich Schuchardt xypron.glpk@gmx.de wrote:
Hello Tom, hello Simon,
when downloading toolchains with tools/buildman/toolchain.py or in our Dockerfile we do not check the integrity of the download.
When I look at https://www.kernel.org/pub/tools/crosstool/files/bin I find a signature file for each tool.
So shouldn't we first download the public keys with gpg, then download the tools and their signatures, and then check them against the keys?
Sounds reasonable to me, so long as gpg is installed, and we can add a test for it.
For other tools we simply assume that they are installed and do not have different paths based on existence. So I think we only would have to add the gnupg dependency to .travis.yml and Dockerfile before adjusting buildman.
Regards
Heinrich
participants (2)
-
Heinrich Schuchardt -
Simon Glass