[aur-general] checksums

Levente Polyak levente at leventepolyak.net
Sat Oct 4 12:09:29 UTC 2014

On 10/04/2014 12:54 PM, stef204 wrote:
> To verify integrity, the author does not provide checksums but only a gpg .asc file.
> What is the preferred way for me to proceed?

If there wouldn't be any verification (neither hash nor signature) you
would (most likely) have to trust the source on first contact (or talk
to upstream).
Luckily you are able to check the integrity with gpg like this:

  gpg --verify your-package-source.tar.gz.sig

once you verified the integrity, you can simply calculate a hash locally
of the self verified source via the sha*sum tools from coreutils [0]
like this:

  sha512sum your-package-source.tar.gz

If you want a even more convenient solution, you can also simply call
'updpkgsums' (after the gpg verification) in the current directory
containing the PKGBUILD in question. This will update the existing hash
in your PKGBUILD (but its recommended to check the gpg integrity before
doing so).

  cd your-package-directory


[0] https://www.archlinux.org/packages/core/x86_64/coreutils/files/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/aur-general/attachments/20141004/eee1a029/attachment.bin>

More information about the aur-general mailing list