Hi Heinrich, On Mon, 29 Jul 2019 at 13:14, Heinrich Schuchardt <[email protected]> wrote: > > Hello Tom, hello Simon, > > when downloading toolchains with tools/buildman/toolchain.py or in our > Dockerfile we do not check the integrity of the download. > > When I look at > https://www.kernel.org/pub/tools/crosstool/files/bin > I find a signature file for each tool. > > So shouldn't we first download the public keys with gpg, then download > the tools and their signatures, and then check them against the keys?
Sounds reasonable to me, so long as gpg is installed, and we can add a test for it. Regards, Simon _______________________________________________ U-Boot mailing list [email protected] https://lists.denx.de/listinfo/u-boot
