public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] binary package signature
@ 2014-02-07 15:29 marco
  2014-02-07 16:56 ` Rick "Zero_Chaos" Farina
  0 siblings, 1 reply; 2+ messages in thread
From: marco @ 2014-02-07 15:29 UTC (permalink / raw
  To: gentoo-user

Hi,
is it possible to sign a binary package to prevent it to be
compromised ?

If yes how can i check the signature from the package downloaded by
PORTAGE_BINHOST ?

Thanks :)



^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [gentoo-user] binary package signature
  2014-02-07 15:29 [gentoo-user] binary package signature marco
@ 2014-02-07 16:56 ` Rick "Zero_Chaos" Farina
  0 siblings, 0 replies; 2+ messages in thread
From: Rick "Zero_Chaos" Farina @ 2014-02-07 16:56 UTC (permalink / raw
  To: gentoo-user

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/07/2014 10:29 AM, marco@nucleus.it wrote:
> Hi,
> is it possible to sign a binary package to prevent it to be
> compromised ?
> 
> If yes how can i check the signature from the package downloaded by
> PORTAGE_BINHOST ?
> 
> Thanks :)
> 
> 
> 
There are multiple open bugs with suggestions on doing this, as of yet,
none of them have even a PoC attached.  This will likely come when
dol-sen finishes his gentoo-keyring project.

Until then, ssl or ssh as the fetch method from the binhost would be the
recommended option.

- -Zero
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJS9RBTAAoJEKXdFCfdEflK+AYQAKcLKt5UDE0vfQ5onkDz9dPo
7FEhrgiCkQvcDsTRy8ymxydQda+RR4b1ekee0RT8QY3uCg0ZgiORU7Zu1Yoi2DJE
n/A0ietB3jjiPCf/3RdWrDMrZPj5lSUB2ZNHmqoIK5f3PVf7unzBXo7a21+4aj5s
UEe+4G1v07cUctsCDyWd/KFRJ96K/0vslUeX5Rq6aQhN6sBvLEMIWAXDHQijBe8O
HMWLVvziJpzLeyYLiI8s5RAySGKZP7aYX+07IMdjP4LWDsA4VcLZuhePS2VwYrZ4
55KPfo8Ahkh7zYrs1zpcv5Vdjn6qkofCNw5WAtyV7j7is4O9H6+kMRE14/qZZCeT
Qcne5Balksa8wMx5vX6g5scXmsRXbOKGSnjxsvA3wJC/D7Uu8JO/YuwS0lrTzEMq
ZhDAKw5Ykj+c/oMknKgYk8IAfYnSjLbiNX0ecM9QNe0gzOnMSNT7g5UIVZGes+lC
G8tVg2XhWyLlYx+rRapOfsjI37vHj8L5Yf4cFUe1uMntVmd1ReUIUzcAWoqJCUmC
hEUq7hxmUKisu1H5lfuSbc7Ji/2B8IOjT7iBIw20yh5HTAru7VzhX4AIJ+tFdt6L
4jXlvwqmyqWCYW9s2W+Et45TAMDOoDR9r0WU7s1tpcIagNW4RSc82lFyL0vf8V9W
KCNJEOtQ8J+rDGPF/PGD
=7wDI
-----END PGP SIGNATURE-----


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-02-07 16:55 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-02-07 15:29 [gentoo-user] binary package signature marco
2014-02-07 16:56 ` Rick "Zero_Chaos" Farina

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox