On Tue, 2016-03-22 at 22:45 +0100, Björn Persson wrote: > > I suppose so, at least if the key is specified as only a filename. What > will it do if a URL to the key is provided, and the key at that location > has been modified? Will it replace the key with the modified one in the > scratch build, …
That behaviour would be... suboptimal. The key (or at least its fingerprint) should be committed directly to pkg git after being obtained through some trusted method — which depends on how upstream publishes it. For reference, I put a couple of examples into https://fedorahosted.org/fpc/ticket/610#comment:6 -- David Woodhouse Open Source Technology Centre [email protected] Intel Corporation
smime.p7s
Description: S/MIME cryptographic signature
-- devel mailing list [email protected] http://lists.fedoraproject.org/admin/lists/[email protected]
