gpg_verify 1.0 feedback

Joshua Root jmr at
Thu Sep 24 20:49:42 UTC 2020

I think that gpg signature verification is something that belongs in
maintainer-facing tools rather than in Portfiles. If the maintainer
verifies the distfile's signature before updating the checksums, the
user gets close to the same assurances while avoiding a lot of complexity.

I always verify before updating if the project provides signatures, and
I would hope others do the same, but also wouldn't be surprised if some
don't. Better tools might help improve things.

- Josh

More information about the macports-dev mailing list