garrettr
commented
8 years ago This issue in gpg was reported and deprecated back in 2014, it's a shame it's yet to be removed completely 2 years later.
Closed conorsch closed 8 years ago
garrettr
commented
8 years ago This issue in gpg was reported and deprecated back in 2014, it's a shame it's yet to be removed completely 2 years later.
garrettr
commented
8 years ago This PR looks good to me. :shipit: For the record, it's good for defense-in-depth that we have always used HTTPS to download the potentially affected data+signatures.
conorsch
commented
8 years ago I was a bit hasty on this. There are more variables that need be handled, for example the two Linux source archives, .tar and .tar.xz, since they are verified by separate procedures (GPG signature and SHA256 checksum, respectively). Will add those in a separate PR after a successful build.
There's a documented, but easy-to-miss requirement for
gpg --verifycommands, stipulating that both the signature file and the filename to be verified should be specified on the command line when using a detached signature file. That's the case in several of the verification tasks for the build role. Updated and applied liberal comments for posterity.