On Mon, 2016-03-21 at 18:02 +0100, Till Maas wrote: > > It is a simple one-liner if you use gpgv2: > http://pkgs.fedoraproject.org/cgit/rpms/youtube-dl.git/tree/youtube-dl.spec#n35 That's better than my version; thanks. It also means there's probably not a lot of point in trying to simplify it with an RPM macro. Might be nice if we could just use the ASCII-armoured key instead of having to generate the gpgkey-$KEYID.gpg keyring, but it's not the end of the world. It turns out we've had a packaging draft since 2010: https://fedoraproject.org/wiki/PackagingDrafts:GPGSignatures I've updated it and taken it over. I'm sure Matt will forgive me. The original draft does raise an interesting question — do we need to put the upstream PGP key directly into the package git tree instead of the lookaside cache? I suppose while the lookaside cache is still only using MD5(!) to validate what it downloads, the answer to that is an unequivocal 'yes'. Which means it would be even nicer to find a way to use the ASCII- armoured version of the key. Perhaps even if the check ends up being a two-stage process where we *make* a keyring and then use it with gpgv2? But really, the key is encoded in the signature already; can't we just specify the acceptable fingerprint on the gpgv2 command line? Is that a reasonable feature request for gpgv2? The original draft also asks if we want the signature itself to be in the git tree. I don't really see the point, if the signing key is trusted. https://fedorahosted.org/fpc/ticket/610 Might be nice to have rpmlint, when checking source URLs, also complain if a %{SOURCEx}.sig or %{SOURCEx}.asc file exists on the download site, and *isn't* also present as a source file in the spec? -- David Woodhouse Open Source Technology Centre David.Woodhouse@xxxxxxxxx Intel Corporation
<<attachment: smime.p7s>>
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
