On Tue, Nov 01, 2022 at 02:55:34PM -0700, Josh Stone wrote: > On 11/1/22 11:16 AM, Neal Gompa wrote: > > That said, the packages *are* signed in Koji, because as soon as it's > > submitted to Bodhi, the packages are signed in-place in Koji. > > Is that really in-place? Bodhi says these are signed, but when I > download from koji, "rpm -qip" still shows "Signature: (none)". If you download the direct build links you get unsigned copies. If you use something like: koji download-build --key=5323552a openssl-3.0.5-2.fc37 you get builds signed with the f37 key. Or you can look directly at: https://kojipkgs.fedoraproject.org/packages/openssl/3.0.5/3.fc37/data/signed/5323552a/ where data/signed/ has a dir for any keys the rpms are signed with and written out currently. Currently we are waiting for the CI tests to all complete, then the f36 one will be pushed stable, and likely the f37 one won't be far behind. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
