levente at leventepolyak.net
Sat Oct 4 12:09:29 UTC 2014
On 10/04/2014 12:54 PM, stef204 wrote:
> To verify integrity, the author does not provide checksums but only a gpg .asc file.
> What is the preferred way for me to proceed?
If there wouldn't be any verification (neither hash nor signature) you
would (most likely) have to trust the source on first contact (or talk
Luckily you are able to check the integrity with gpg like this:
gpg --verify your-package-source.tar.gz.sig
once you verified the integrity, you can simply calculate a hash locally
of the self verified source via the sha*sum tools from coreutils 
If you want a even more convenient solution, you can also simply call
'updpkgsums' (after the gpg verification) in the current directory
containing the PKGBUILD in question. This will update the existing hash
in your PKGBUILD (but its recommended to check the gpg integrity before
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the aur-general