Re: [BUG] binman does not check signature of toolchain

Hi Heinrich, On Tue, 26 Oct 2021 at 13:43, Heinrich Schuchardt wrote: > > Downloading binaries and executing without checking the authenticity is > at least unwise. > > When binman downloads GCC it should also download and verify the GPG > signatures. > > Additionally binman could hold a list of

[BUG] binman does not check signature of toolchain

Downloading binaries and executing without checking the authenticity is at least unwise. When binman downloads GCC it should also download and verify the GPG signatures. Additionally binman could hold a list of the SHA256 hashes of all binaries in question for a further check. Best