> yes, you are right, there is only the sum currently, and the signature is not > checked. > thanks for mentioning that is could be done in prepare(). > I could not find a way to do checks before extraction, since prepare() is > only after extraction (not required for checking the archives). > > do you know a good package example which also verifies x.509 signatures in > prepare() (which does not require large/unusual dependencies)? > I'm happy to copy it to these projects. >
Openssl would be your only dependency. Prepare extracts the tarball, but it should still be available in the $srcdir, right? And no, I've never seen such example. Marcin Wieczorek
signature.asc
Description: PGP signature
