Jonathan Wright via devel wrote: > My latest commit to rawhide adds signature verification and updates the > source URL to https. > > https://src.fedoraproject.org/rpms/mdadm/c/c8d54b071aea9605ab75f3c5ff67d44d306e7fb2?branch=rawhide A comment in the spec file says: # keyring should be one from https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys # which will vary depending on who did the release That's a long list. Can all of those people make mdadm releases? Please try to avoid replacing the keyring every time you upgrade the package to a new release. That would severely diminish the security benefit of the signature verification. You can have multiple keys if there are multiple people who make releases. For the current version of gpgverify you need to combine the keys into a single file. Simple concatenation seems to work. The Nginx package does that: https://src.fedoraproject.org/rpms/nginx/blob/8b7ceb13dd13cd18b9603872b2b5611be2d60029/f/nginx.spec#_253 This pull request would improve gpgverify to accept multiple key files, so you wouldn't need to concatenate them: https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/261 Björn Persson
Attachment:
pgpjvXkYoOjbV.pgp
Description: OpenPGP digital signatur
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
