Bug #747
[RFC] PKGBUILDs should include SHA512 checksum + GPG signature
0%
Description
Gentoo is now using SHA512 + Whirpool and GPG signed source packages. I got the idea that this great security practice could be implemented in our PKGBUILD's as well and went to work to see if it was possible. Using just a few lines of bash, it is definitely possible.
Attached you will find a proof of concept PKGBUILD I made for a file integrity checking security software that is GPL.
This could be good practice for users of AUR/ABS, etc. where PKGBUILDs can be verified safe and untampered.
Files
History
Updated by g4jc over 7 years ago
- File PKGBUILD.zip PKGBUILD.zip added
Per Emulatorman we should use .sig instead of armoured .asc to keep it uniform with currently signed packages.
I can confirm this also works as simply as...
gpg --default-key [KEYID] -b PKGBUILD
Attached is another example GPG-signed PKGBUILD of a recently requested package.
Updated by Anonymous over 7 years ago
g4jc wrote:
Per Emulatorman we should use .sig instead of armoured .asc to keep it uniform with currently signed packages.
I can confirm this also works as simply as...
gpg --default-key [KEYID] -b PKGBUILDAttached is another example GPG-signed PKGBUILD of a recently requested package.
I suggest you open a consensus about it to devs list as official packaging policy for Parabola.
Updated by lukeshu almost 7 years ago
- Priority changed from feature to discussion
- Subject changed from PKGBUILDs should include SHA512 checksum + GPG signature to [RFC] PKGBUILDs should include SHA512 checksum + GPG signature