On Mon, Oct 31, 2016 at 06:04:48PM +0100, Levente Polyak wrote:
I get your point what you try to achieve but the PKGBUILD already contains the integrity values (checksums) for all external sources and if you sign the PKGBUILD (which is the build script) then you have implicitly authenticated all integrity values of the external sources.
A signature is nothing more (but also nothing less) then an authenticated checksum. If you sign a tarball then you "only" sign its hash.
On top (like a bonus :P) if you sign the PKGBUILD then you did not only authenticate the checksums of the external sources but also the buildscript itself. So you really want so sign that instead ;)
As a side question... is there a significant difference in signing PKGBUILD vs the compiled package. Given that when building a pkg, I inspect the PKGBUILD, what attack is possible when the PKGBUILD is not signed? Also, isn't the use of dev signature to validate upstream sources is a logical flaw? A dev might herself be mislead and build a trojaned source... Thx, L. -- Leonid Isaev GPG fingerprints: DA92 034D B4A8 EC51 7EA6 20DF 9291 EE8A 043C B8C4 C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D