Skip to content

feat: Add GPG signature verification for all source tarballs #636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
romeoahmed wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Add GPG signature verification for all source tarballs #636

romeoahmed wants to merge 1 commit into from

Conversation

@romeoahmed
Copy link

@romeoahmed romeoahmed commented Dec 3, 2025

Add GPG signature checks for all upstream Linux kernel source tarballs across all PKGBUILDs.

@romeoahmed romeoahmed force-pushed the feat/gpg-verification branch 2 times, most recently from e3afaee to e3002d8 Compare December 3, 2025 15:46
ptr1337
ptr1337 reviewed Dec 3, 2025
View reviewed changes
Copy link
Member

@ptr1337 ptr1337 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

Im not sure, if we really want this, since this will break the cachyos-kernel-manager, since users would manually add the gpg keys to their system

@romeoahmed
Copy link
Author

romeoahmed commented Dec 3, 2025
edited
Loading

Sorry, but I believe that verifying GPG signatures can prevent supply chain attacks, which should benefit every user.
Users who do not use makepkg should not be affected.

@romeoahmed romeoahmed force-pushed the feat/gpg-verification branch from eee5fbd to a8ee9cc Compare December 4, 2025 00:18
@dougg0k
Copy link

dougg0k commented Dec 18, 2025
edited
Loading

I had some doubts on this matter as well, so much that I have asked for the CI's urls before, that ideally should be public / visible to anyone. At least for the kernel it seems to be, with gh actions.

A way to keep integrity is making the whole flow from code to actual release, completely public viewable, and for that, all automated and also public.

So, this is a request that seems very valid to me.

I just asked an AI (free chatgpt) to list some additional methods that could still be used even after signing the kernel tar.

@romeoahmed romeoahmed force-pushed the feat/gpg-verification branch from 6d09ae3 to 0de4c4f Compare December 29, 2025 14:16
@romeoahmed romeoahmed force-pushed the feat/gpg-verification branch from 0de4c4f to ff9ea80 Compare December 31, 2025 03:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ptr1337 ptr1337 ptr1337 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@romeoahmed @dougg0k @ptr1337