abuild: Verify GPG signatures before checksum/verify (!4) · Merge requests · alpine / abuild

tcely requested to merge tcely/abuild:tcely-gpg-signatures into master Oct 11, 2019

Have the default fetch function gather GPG signatures and verify them against the gpgfingerprints list set in the APKBUILD file. You may need to install gnupg (not gnupg1) before testing this, otherwise nothing is expected to happen.

gpg_signature_extensions - defaults to sig and asc; most sources will use one of these

gpgfingerprints - format: [<TRUST>:]<FINGERPRINT>

<TRUST>: either good or unknown
<FINGERPRINT>: usually 40 characters of hex copied from GPG output

gpgsource - defaults to source list; useful if only some remote files are signed

Added GPGKEYS file next to APKBUILD for importing GPG keys from the aports repository rather than relying on keyservers.

Resolves #9016

Edited Oct 11, 2019 by tcely

abuild: Verify GPG signatures before checksum/verify

Merge request reports