-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/07/2014 10:29 AM, [email protected] wrote: > Hi, > is it possible to sign a binary package to prevent it to be > compromised ? > > If yes how can i check the signature from the package downloaded by > PORTAGE_BINHOST ? > > Thanks :) > > > There are multiple open bugs with suggestions on doing this, as of yet, none of them have even a PoC attached. This will likely come when dol-sen finishes his gentoo-keyring project.
Until then, ssl or ssh as the fetch method from the binhost would be the recommended option. - -Zero -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJS9RBTAAoJEKXdFCfdEflK+AYQAKcLKt5UDE0vfQ5onkDz9dPo 7FEhrgiCkQvcDsTRy8ymxydQda+RR4b1ekee0RT8QY3uCg0ZgiORU7Zu1Yoi2DJE n/A0ietB3jjiPCf/3RdWrDMrZPj5lSUB2ZNHmqoIK5f3PVf7unzBXo7a21+4aj5s UEe+4G1v07cUctsCDyWd/KFRJ96K/0vslUeX5Rq6aQhN6sBvLEMIWAXDHQijBe8O HMWLVvziJpzLeyYLiI8s5RAySGKZP7aYX+07IMdjP4LWDsA4VcLZuhePS2VwYrZ4 55KPfo8Ahkh7zYrs1zpcv5Vdjn6qkofCNw5WAtyV7j7is4O9H6+kMRE14/qZZCeT Qcne5Balksa8wMx5vX6g5scXmsRXbOKGSnjxsvA3wJC/D7Uu8JO/YuwS0lrTzEMq ZhDAKw5Ykj+c/oMknKgYk8IAfYnSjLbiNX0ecM9QNe0gzOnMSNT7g5UIVZGes+lC G8tVg2XhWyLlYx+rRapOfsjI37vHj8L5Yf4cFUe1uMntVmd1ReUIUzcAWoqJCUmC hEUq7hxmUKisu1H5lfuSbc7Ji/2B8IOjT7iBIw20yh5HTAru7VzhX4AIJ+tFdt6L 4jXlvwqmyqWCYW9s2W+Et45TAMDOoDR9r0WU7s1tpcIagNW4RSc82lFyL0vf8V9W KCNJEOtQ8J+rDGPF/PGD =7wDI -----END PGP SIGNATURE-----
