Jonathan Wright via devel wrote: > My latest commit to rawhide adds signature verification and updates the > source URL to https. > > https://src.fedoraproject.org/rpms/mdadm/c/c8d54b071aea9605ab75f3c5ff67d44d306e7fb2?branch=rawhide
A comment in the spec file says:
# keyring should be one from
https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git/plain/keys
# which will vary depending on who did the release
That's a long list. Can all of those people make mdadm releases?
Please try to avoid replacing the keyring every time you upgrade the
package to a new release. That would severely diminish the security
benefit of the signature verification. You can have multiple keys if
there are multiple people who make releases. For the current version of
gpgverify you need to combine the keys into a single file. Simple
concatenation seems to work. The Nginx package does that:
https://src.fedoraproject.org/rpms/nginx/blob/8b7ceb13dd13cd18b9603872b2b5611be2d60029/f/nginx.spec#_253
This pull request would improve gpgverify to accept multiple key files,
so you wouldn't need to concatenate them:
https://src.fedoraproject.org/rpms/redhat-rpm-config/pull-request/261
Björn Persson
pgp_VTg_skqTy.pgp
Description: OpenPGP digital signatur
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
