==> WARNING: Skipping verification of source file PGP signatures

This comes up on too many installs… without a good way to remedy it and verify downloads. Bypassing it should not be a default…

I looked at other posts about this but they’re all just related to specific installs. Why can’t we just get the right keys automatically?

honestly, I don’t mind it because really, the chance of the files to be different are low. But that just my opinion. Are you using yay? It comes up for me on there. If so, try using aura or octopi if possible.

1 Like

There is a sha verification… but you know how it works. Security in layers. Maybe it was just too much of a headache to implement? Or maybe its viewed as pointless if it just fetches the key just before the package… but IF someone wanted to take over your system, it would be trivial for them to just serve you a wrong sha and package, (unless they’re pulled from different places, haven’t checked) - but it would be much harder to serve you a wrong key too, and sign the package too.

What is a package that does that?

Can you provide a specific example?

See this issue:

If yay does checks before importing key, it’ll always fail and won’t build the package. So it skips integrity check after download if the keys need importing.

Nonetheless, it will check files before building. So there shouldn’t be integrity related issues.

PS. I see this warning on many packages and instead just use Paru.

1 Like