[aur-general] pcb-rnd-svn first package

pcb-rnd at cuvoodoo.info pcb-rnd at cuvoodoo.info
Thu Jul 22 13:57:41 UTC 2021


On Thu, Jul 22, 2021 at 03:32:39PM +0200, Marcin Wieczorek wrote:
> > also the signatures provided on the release page only use x.509 certificates.
> > AFAICS only GPG signatures are supported by PKGBUILD.
> > this is why I did not include the signatures.
> > 
> Ok. I'm glad that you considered that and already took action. You could
> always do some prepare() magic to check the sigs. In current case the
> packages lacks security measures, only the sums provide integrity.
> Am I right?

yes, you are right, there is only the sum currently, and the signature is not checked.
thanks for mentioning that is could be done in prepare().
I could not find a way to do checks before extraction, since prepare() is only after extraction (not required for checking the archives).

do you know a good package example which also verifies x.509 signatures in prepare() (which does not require large/unusual dependencies)?
I'm happy to copy it to these projects.


More information about the aur-general mailing list