On Thu, Jul 22, 2021 at 03:32:39PM +0200, Marcin Wieczorek wrote: > > also the signatures provided on the release page only use x.509 > > certificates. > > AFAICS only GPG signatures are supported by PKGBUILD. > > this is why I did not include the signatures. > > > Ok. I'm glad that you considered that and already took action. You could > always do some prepare() magic to check the sigs. In current case the > packages lacks security measures, only the sums provide integrity. > Am I right?
yes, you are right, there is only the sum currently, and the signature is not checked. thanks for mentioning that is could be done in prepare(). I could not find a way to do checks before extraction, since prepare() is only after extraction (not required for checking the archives). do you know a good package example which also verifies x.509 signatures in prepare() (which does not require large/unusual dependencies)? I'm happy to copy it to these projects.
