Thanks for the response.
Micha
el Zhang
el Zhang Software Developer Test (WAS Install Team)
----- Original message -----
From: Tom Hughes <tom@xxxxxxxxxx>
To: Development discussions related to Fedora <devel@xxxxxxxxxxxxxxxxxxxxxxx>, Michael Zhang <Michael.Zhang@xxxxxxx>
Cc:
Subject: Re: Fedora GPG signing/verifying question
Date: Thu, Mar 28, 2019 12:27 PM
On 28/03/2019 16:24, Michael Zhang wrote:
> When publishing, does Fedora:
> a) rebuild a maintainer's package from source and gpg sign it with
> their own fedora gpg key
> (ex. /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-11-primary)
> OR:
> b) publish the package that the maintainer personally compiled and
> gpg signed with their personal key?
>
> If the answer is b), why do we import a Fedora public key to verify
> packages/rpms?
The first - all packages are built from source in koji and then
signed with the Fedora key.
Tom
--
Tom Hughes (tom@xxxxxxxxxx)
http://compton.nu/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
