Petr Menšík venit, vidit, dixit 2026-01-16 16:55:25:
> I think it would help for a start, if we allowed verification of
> signatures by something different than gnupg2. It MUST be done by
> %{gpgverify} macro, meaning using sequia-sqv is not allowed. Can we
> change that, please?
>
> https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
>
> I have done that in dnsmasq for a test. It is nice, but parameters of
> sqv are a bit different.
>
> https://src.fedoraproject.org/rpms/dnsmasq/pull-request/24
>
> I think sqv should be officially allowed, unless there exist well
> specified reason why not.
Do you envisage different packages using different verification tools? I
don't think that flies well.
I do not read the guidelines as requiring that gpgverify needs to be
*that* gpgverify, only:
```
The verification MUST be done with the macro %{gpgverify}, which expands into a
command whose parameters shall be the pathnames of the keyring, the signature
and the signed file. BuildRequires: gpgverify is necessary for the verification
to work.
```
sqv's purpose is not being a drop-in replacement. That purpose is served
by `gpgv-sq` from `sequoia-chameleon-gnupg`. `gpgverify` from the same
named package wraps `gpgv` and could simply wrap `gpgv-sq` instead, or
`sqv`. That way no package needs to change, assuming existing signatures
are "v4 or below".
Alternatively, the gpgverify macro could call `sqv` directly, keeping
the macro call signature as is.
I mean, if we use sq for rpm signatures we can use it for source tarball
checks by default, can't we?
Cheers
Michael
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
