On Thu, Jul 22, 2021 at 03:32:39PM +0200, Marcin Wieczorek wrote:
also the signatures provided on the release page only use x.509 certificates. AFAICS only GPG signatures are supported by PKGBUILD. this is why I did not include the signatures.
Ok. I'm glad that you considered that and already took action. You could always do some prepare() magic to check the sigs. In current case the packages lacks security measures, only the sums provide integrity. Am I right?
yes, you are right, there is only the sum currently, and the signature is not checked. thanks for mentioning that is could be done in prepare(). I could not find a way to do checks before extraction, since prepare() is only after extraction (not required for checking the archives). do you know a good package example which also verifies x.509 signatures in prepare() (which does not require large/unusual dependencies)? I'm happy to copy it to these projects.