Oden Eriksson <[EMAIL PROTECTED]> writes: > m�ndagen den 27 januari 2003 22.54 skrev Todd Lyons: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> Vincent will correct me if I'm wrong, but there are only three keys that >> are used to officially sign packages in Main. Those three keys get >> installed automatically into root's keyring when the gnupg package is >> installed. If a developer happens to also package some Contrib rpm, the >> sig will be good. If a community contributor packages the Contrib rpm, >> then the end user who's installing it must go and manually retrieve >> (just once) the packager's public key. > > So I guess resigning my packages while the upload procedure is running with > one of this 3 keys is out of the question then?
At present contrib are not signed. One of the idea for future is to have different keys and allow the user to select which keys are valid for packages, for example: - Stable release - Contrib stable release - Development release - Security updates e.g. the user will have to explicitely select development key to be able to install cooker packages on a stable release. It is not likely that we have time to do this for 9.1. -- Warly
