Re: [libvirt-glib] spec: Add verification of the tarball GPG signature

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Apr 14, 2016 at 04:31:15PM +0200, Christophe Fergeau wrote:
> Hi,
> 
> On Thu, Apr 14, 2016 at 10:01:27AM -0400, Cole Robinson wrote:
> > On 04/14/2016 05:12 AM, Christophe Fergeau wrote:
> > > This at least allows to make sure that all tarballs are signed with the
> > > same GPG key, and that the tarball was not corrupted between the time it
> > > was uploaded upstream, and the time the RPM is built.
> > > 
> > > danpb-BE86EBB415104FDF.gpg is generated with:
> > > gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import
> > 
> > That file wasn't committed though, was it meant to be?
> 
> I left it out on purpose as it's better if the packager gets the key for
> verification using its own channel. If it's in the tarball, then it
> could be modified at the same time as the tarball. If someone wants to
> directly use the .spec file from the source tarball in order to build
> libvirt-glib, this is indeed going to be an issue. I don't think this is
> what is commonly done, is it?

Yes, it is something we need to support - ie rpmbuild -ta <tarball>
should work

So in retrospect we need to make this conditional, defaulting to
off, and just change it to default to on in fedora / rhel formal
builds

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]