On Thu, Jul 25, 2019 at 12:46:11PM +0200, Björn Persson wrote:
> Joe Orton wrote:
> > We'd put the set of trusted GPG keys in the repository alongside the
> > spec file, using some standard filename, and the build system would try
> > check the .asc against the keys when downloading (or uploading? I can't
> > remember) a new tarball. This would ensure the tarball uploaded to the
> > lookaside cache was trusted.
>
> If you can implement that in such a way that the packager can't neglect
> to verify the signature, then that might also work for Fedora's needs.
> You'll have to think hard about how the code will know which source
> file to verify against which signature in all possible situations.
You talk like this is a hard problem but it was implemented that way for
the first N years of Fedora - possibly when the infrastructure was only
internal to Red Hat, I don't remember. It just got thrown away with the
move to git & fedpkg.
It worked from Makefiles but a fedpkg equivalent would be something
like:
fedpkg download => worked like spectool -g specfile.spec
but also fetched ${tarball}.asc
fedpkg upload X =>
if ./gpgkeys exists:
enforce verification of ${tarball} against ${tarball}.asc using ./gpgkeys
actually upload X and update sources
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
