On 7/29/19 9:27 PM, Simon Glass wrote: > Hi Heinrich, > > On Mon, 29 Jul 2019 at 13:14, Heinrich Schuchardt <[email protected]> wrote: >> >> Hello Tom, hello Simon, >> >> when downloading toolchains with tools/buildman/toolchain.py or in our >> Dockerfile we do not check the integrity of the download. >> >> When I look at >> https://www.kernel.org/pub/tools/crosstool/files/bin >> I find a signature file for each tool. >> >> So shouldn't we first download the public keys with gpg, then download >> the tools and their signatures, and then check them against the keys? > > Sounds reasonable to me, so long as gpg is installed, and we can add a > test for it.
For other tools we simply assume that they are installed and do not have different paths based on existence. So I think we only would have to add the gnupg dependency to .travis.yml and Dockerfile before adjusting buildman. Regards Heinrich _______________________________________________ U-Boot mailing list [email protected] https://lists.denx.de/listinfo/u-boot
