abuild: Verify GPG signatures before checksum/verify
Have the default fetch function gather GPG signatures and verify them against the
gpgfingerprints list set in the
APKBUILD file. You may need to install
gnupg1) before testing this, otherwise nothing is expected to happen.
gpg_signature_extensions - defaults to
asc; most sources will use one of these
gpgfingerprints - format:
<FINGERPRINT>: usually 40 characters of hex copied from GPG output
gpgsource - defaults to
source list; useful if only some remote files are signed
GPGKEYS file next to
APKBUILD for importing GPG keys from the
aports repository rather than relying on keyservers.