QDK - QPKG Development Kit
  • Introduction
  • Installation of QDK
  • QPKG Configuration File
  • Installation Script
    • Generic Installation Script
    • Package Specific Installation Functions
    • Order of Execution
  • QDK Variables
  • Build Scripts
  • User Configuration File
  • Invoking qbuild
    • Initialize a Build Environment
    • Control the Build
    • Trust but Verify
    • Exclude Files
    • Scripts
    • Status Information
    • Sections
    • Extract QPKG Packages
    • Query Packages
    • Help and Usage
  • Creating a QPKG Package Using QDK
    • Creating a Simple QPKG Package
    • Creating Platform Specific QPKG Packages
    • Converting an Existing QPKG Package
  • Appendix A – QPKG Format
    • Header Script
    • Control Files
    • Data File
    • Extra Data Files
    • QDK Area
    • Tail Section
Powered by GitBook
On this page

Was this helpful?

  1. Invoking qbuild

Trust but Verify

When a QPKG package is installed the installation script runs with super-user privileges and a maliciouspackage could cause all kinds of problems. As long as the QPKG is downloaded from a trusted packagebuilder this is probably not an issue, but better safe than sorry. If the QPKG is signed then it is possible touse the --verify option to verify that it is built by the package builder and that it hasn't been modified. For thisto work the package builder's public key must have been imported in the public keyring using the --import-key option.

All imported keys can be shown using the --list-keys option and a key can be removed from the keyringusing --remove-key.

Of course, to be able to verify a package it must have been signed when it was built; this is accomplishedusing either the --sign or the --gpg-name option at build time or an existing package can have a signatureadded using --add-sign. The --add-sign option can also be used when an already signed package should bere-signed with a different key.

Note that only QPKG packages built with QDK 2.0 or later can have a signature added using the --add-signoption.

PreviousControl the BuildNextExclude Files

Last updated 5 years ago

Was this helpful?