When binman downloads GCC it should also download and verify the GPG signatures.
Additionally binman could hold a list of the SHA256 hashes of all binaries in question for a further check.
Best regards Heinrich
Downloading binaries and executing without checking the authenticity is
at least unwise.
- [BUG] binman does not check signature of toolchain Heinrich Schuchardt
- Re: [BUG] binman does not check signature of tool... Simon Glass
- Re: [BUG] buildman does not check signature o... Heinrich Schuchardt
- Re: [BUG] buildman does not check signatu... Simon Glass
