V Fri, Sep 16, 2022 at 05:30:13PM +0000, Tommy Nguyen napsal(a): > With that being said, if a GPG key would be compromised, wouldn't it > result in an error when trying to update the package? An end user would > then report the bug, someone would see that the key does not match the > signature in the gpg-distribution package, signalling that it's > compromised. Compromised GPG key means something else. It means that you have a valid signature for a package made with a genuine Fedora packager's key. But not made by the Fedora packager. You won't recognize a compromised key by checking the signatures. You probably wanted to write a compromised dist-git account. In that case the GPG signature would help. -- Petr
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
