[MacPorts] #61219: ghc @8.10.1: GPG signature verification failed
MacPorts
noreply at macports.org
Fri Sep 25 03:40:21 UTC 2020
#61219: ghc @8.10.1: GPG signature verification failed
-------------------------+-----------------------
Reporter: ryandesign | Owner: essandess
Type: defect | Status: closed
Priority: Normal | Milestone:
Component: ports | Version: 2.6.3
Resolution: duplicate | Keywords:
Port: ghc |
-------------------------+-----------------------
Comment (by chrstphrchvz):
Replying to [comment:4 essandess]:
> I, for one, would like to know that this binary has been verified before
I run it on my systems. The port group gpg_verify does this.
"Verified" is somewhat ambiguous. As far as ensuring the integrity of
distfiles, that is what the existing rmd160/sha256 checksums in portfiles
are for. PGP verification, being a digital signature, similarly implies
computing a checksum to verify integrity.
What PGP verification can do which portfile checksums can't do is help
authenticate distfiles, i.e. ensure they weren't created by a malicious
party. (This assumes the private key isn't compromised, and ideally
involves not blindly trusting the provided pubkey—otherwise one would
argue it isn't any better than standalone checksums.)
--
Ticket URL: <https://trac.macports.org/ticket/61219#comment:6>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list