Skip to content

feat: Add GPG signature verification for all source tarballs #636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
romeoahmed wants to merge 8 commits into
base: master
Choose a base branch
from
Open

feat: Add GPG signature verification for all source tarballs #636

romeoahmed wants to merge 8 commits into from
+109 −29

Conversation

@romeoahmed
Copy link

@romeoahmed romeoahmed commented Dec 3, 2025

Add GPG signature checks for all upstream Linux kernel source tarballs across all PKGBUILDs.

@romeoahmed romeoahmed force-pushed the feat/gpg-verification branch from 4f9068e to e3afaee Compare December 3, 2025 15:43
@romeoahmed romeoahmed force-pushed the feat/gpg-verification branch from e3afaee to e3002d8 Compare December 3, 2025 15:46
ptr1337
ptr1337 reviewed Dec 3, 2025
View reviewed changes
Copy link
Member

@ptr1337 ptr1337 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

Im not sure, if we really want this, since this will break the cachyos-kernel-manager, since users would manually add the gpg keys to their system

@romeoahmed
Copy link
Author

romeoahmed commented Dec 3, 2025
edited
Loading

Sorry, but I believe that verifying GPG signatures can prevent supply chain attacks, which should benefit every user.
Users who do not use makepkg should not be affected.

@romeoahmed romeoahmed force-pushed the feat/gpg-verification branch from eee5fbd to a8ee9cc Compare December 4, 2025 00:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ptr1337 ptr1337 ptr1337 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@romeoahmed @ptr1337