On 11/05/2017 14:27, Felix Fietkau wrote: > On 2017-05-11 09:16, Alif M. A. wrote: >> I am preparing for grub-2.02 package upgrade. >> >> The download mirror provides a gpg signature (.sig file), which can be >> used to validate the source package. >> >> Does LEDE build system have a way to verify source package using gpg >> signature? I'd rather use gpg verification if possible, rather than >> checksum verification. > There is no support for that, and I don't think it's a good idea to add > it. You don't gain any extra security advantage compared to putting in > the SHA256 hash of a file where you verified the .gpg signature yourself. > > - Felix >
I'll just verify the signature myself and provide the checksum as usual. Thanks for the explanation. _______________________________________________ Lede-dev mailing list Lede-dev@lists.infradead.org http://lists.infradead.org/mailman/listinfo/lede-dev
