Am 24.10.25 um 14:42 schrieb Panu Matilainen:
On 10/24/25 12:35 PM, Vít Ondruch wrote:
Dne 24. 10. 25 v 11:15 Panu Matilainen napsal(a):
On 10/24/25 11:56 AM, Vít Ondruch wrote:
Dne 23. 10. 25 v 19:19 Allison King via devel-announce napsal(a):
Mock has a plugin for signing locally built packages, and COPR has
it's own automatic signing.
Is this enabled by default?
For COPR, yes.
For mock, I don't see how it could be because it cannot know how
you'd like to sign your packages.
Honestly, neither I know. I was fine doing my packages without
signature. But this change appears to force me (either to use some
additional options or) to have signature. So this change seems
incomplete to me without mock singing the packages out of the box or
with little documented setup.
Of course, we can add a bit about configuring mock to do signing eg
using a key set up with rpm-setup-autosign. That's a fair point.
You really wanne simply this?
cd $REPOPATH
rpmsign --addsign --key-id=EB6676B1E707460E6DA4E5065630E369F6DDFFB7
$filename.rpm
createrepo .
cd createrepo $REPOPATH/data
gpg2 --clearsign -u EB6676B1E707460E6DA4E5065630E369F6DDFFB7 repomd.xml
I pretty sure, that people who regulary build theire own rpms and repos,
do not do it manually, they use scripts, so it's already "auto". Adding
these 2 commands will not make it any more complex as it is already.
From a security point of view, a random hacked repo can't introduce
updates for other packages, if these are signed with the repo key. That
is a good thing and worth those to additional steps, besides creating
and posting the key. it's not safe to assume, that if you are able to
hack the repo server, you also hacked the build&signsystem. Therefor,
it's a security enhancement.
best regards,
Marius Schwarz
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
