On 28/03/2019 16:24, Michael Zhang wrote:
When publishing, does Fedora:
a) rebuild a maintainer's package from source and gpg sign it with
their own fedora gpg key
(ex. /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-11-primary)
OR:
b) publish the package that the maintainer personally compiled and
gpg signed with their personal key?
If the answer is b), why do we import a Fedora public key to verify
packages/rpms?
The first - all packages are built from source in koji and then
signed with the Fedora key.
Tom
--
Tom Hughes (tom@xxxxxxxxxx)
http://compton.nu/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
