On 10/04/2014 12:54 PM, stef204 wrote:
To verify integrity, the author does not provide checksums but only a gpg .asc file. What is the preferred way for me to proceed?
If there wouldn't be any verification (neither hash nor signature) you would (most likely) have to trust the source on first contact (or talk to upstream). Luckily you are able to check the integrity with gpg like this: gpg --verify your-package-source.tar.gz.sig once you verified the integrity, you can simply calculate a hash locally of the self verified source via the sha*sum tools from coreutils [0] like this: sha512sum your-package-source.tar.gz If you want a even more convenient solution, you can also simply call 'updpkgsums' (after the gpg verification) in the current directory containing the PKGBUILD in question. This will update the existing hash in your PKGBUILD (but its recommended to check the gpg integrity before doing so). cd your-package-directory updpkgsums cheers Levente [0] https://www.archlinux.org/packages/core/x86_64/coreutils/files/