[OE-core] [PATCH][RFC] sstate: implement basic signing/validation
Richard Purdie
richard.purdie at linuxfoundation.org
Tue Aug 25 20:52:05 UTC 2015
On Tue, 2015-08-25 at 17:47 +0100, Ross Burton wrote:
> To provide some element of integrity to sstate archives, allow sstate archives
> to be GPG signed with a specified key (detached signature to a sidecar .sig
> file), and verify the signatures when sstate archives are unpacked.
Some random thoughts. We could add the signature into the tarball using
something like the --use-compress-program option (see
https://www.gnu.org/software/tar/manual/html_chapter/tar_8.html and the
gpg references). That would mean we have one less separate file to worry
about.
Not sure which approach I prefer, just putting the idea out there...
> TODO: fetch .sig from remote sstate mirrors
We do something similar for siginfo already FWIW.
> Signed-off-by: Ross Burton <ross.burton at intel.com>
I'd also probably make these callable functions, then others can
override them and use them as hooks if they want to.
Cheers,
Richard
More information about the Openembedded-core
mailing list