Re: [libvirt-glib] spec: Add verification of the tarball GPG signature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Thu, Apr 14, 2016 at 10:01:27AM -0400, Cole Robinson wrote:
> On 04/14/2016 05:12 AM, Christophe Fergeau wrote:
> > This at least allows to make sure that all tarballs are signed with the
> > same GPG key, and that the tarball was not corrupted between the time it
> > was uploaded upstream, and the time the RPM is built.
> > 
> > danpb-BE86EBB415104FDF.gpg is generated with:
> > gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import
> 
> That file wasn't committed though, was it meant to be?

I left it out on purpose as it's better if the packager gets the key for
verification using its own channel. If it's in the tarball, then it
could be modified at the same time as the tarball. If someone wants to
directly use the .spec file from the source tarball in order to build
libvirt-glib, this is indeed going to be an issue. I don't think this is
what is commonly done, is it?

Christophe

Attachment: signature.asc
Description: PGP signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]