1 files changed, 50 insertions, 0 deletions

diff --git a/config/global/download.in b/config/global/download.in
index fc79400..57f42e6 100644
--- a/config/global/download.in
+++ b/config/global/download.in
@@ -132,4 +132,54 @@ config MIRROR_BASE_URL
 
 endif # USE_MIRROR
 
+config VERIFY_DOWNLOAD_DIGEST
+    bool "Verify download digests (checksums)"
+    default y
+    depends on CONFIGURE_has_sha512sum || CONFIGURE_has_sha256sum || CONFIGURE_has_sha1sum || CONFIGURE_has_md5sum
+
+if VERIFY_DOWNLOAD_DIGEST
+
+choice
+    prompt "Digest algorithm"
+
+config VERIFY_DOWNLOAD_DIGEST_SHA512
+    bool "SHA-512"
+    depends on CONFIGURE_has_sha512sum
+
+config VERIFY_DOWNLOAD_DIGEST_SHA256
+    depends on CONFIGURE_has_sha256sum
+    bool "SHA-256"
+
+config VERIFY_DOWNLOAD_DIGEST_SHA1
+    depends on CONFIGURE_has_sha1sum
+    bool "SHA-1"
+
+config VERIFY_DOWNLOAD_DIGEST_MD5
+    depends on CONFIGURE_has_md5sum
+    bool "MD5"
+
+endchoice
+
+config VERIFY_DOWNLOAD_DIGEST_ALG
+    string
+    default "md5" if VERIFY_DOWNLOAD_DIGEST_MD5
+    default "sha1" if VERIFY_DOWNLOAD_DIGEST_SHA1
+    default "sha256" if VERIFY_DOWNLOAD_DIGEST_SHA256
+    default "sha512" if VERIFY_DOWNLOAD_DIGEST_SHA512
+
+endif # VERIFY_DOWNLOAD_DIGEST
+
+config VERIFY_DOWNLOAD_SIGNATURE
+    bool "Verify detached signatures"
+    help
+      Verify the signatures for the downloads where available.
+      This requires the public keys for all the packages used in the build
+      to be imported into a keyring on the build machine.
+
+      Note that the validation will succeed so long as the signature
+      is known and valid, even if the signature is not trusted! GnuPG
+      issues a warning in this case, but ultimately reports that validation
+      succeeded. Check the log file if this is a concern; crosstool-NG
+      may add an option to verify this more paranoidally later.
+
 endif # ! FORBID_DOWNLOAD