Ben Beasley wrote: > Please compare with https://src.fedoraproject.org/rpms/xfontsel/blob/rawhide/f/xfontsel.spec, paying close attention to the comments in the spec file. SKS keyservers have gone offline since that package obtained its keyring, so try using hkps://keys.openpgp.org instead. To elaborate on this, the procedure described in xfontsel.spec finds the key that was used to make the signature, so whoever made the signature becomes the trusted upstream. If you do that *once*, it's a form of trust on first use. It lets you discover future attacks as long as you continue using the same key, assuming that you got the right key to begin with. If you would repeat the key lookup every time you upgrade the package, then you would render the verification meaningless. You'd just be verifying that the tarball was signed by whoever signed the tarball. So don't do that. Björn Persson
Attachment:
pgpt_OtjhV9oG.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure