On Tue, 2015-08-25 at 17:47 +0100, Ross Burton wrote: > To provide some element of integrity to sstate archives, allow sstate archives > to be GPG signed with a specified key (detached signature to a sidecar .sig > file), and verify the signatures when sstate archives are unpacked.
Some random thoughts. We could add the signature into the tarball using something like the --use-compress-program option (see https://www.gnu.org/software/tar/manual/html_chapter/tar_8.html and the gpg references). That would mean we have one less separate file to worry about. Not sure which approach I prefer, just putting the idea out there... > TODO: fetch .sig from remote sstate mirrors We do something similar for siginfo already FWIW. > Signed-off-by: Ross Burton <[email protected]> I'd also probably make these callable functions, then others can override them and use them as hooks if they want to. Cheers, Richard -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
