On Fri, Jan 16, 2026 at 11:13 AM Michael J Gruber <[email protected]> wrote: > > Petr Menšík venit, vidit, dixit 2026-01-16 16:55:25: > > I think it would help for a start, if we allowed verification of > > signatures by something different than gnupg2. It MUST be done by > > %{gpgverify} macro, meaning using sequia-sqv is not allowed. Can we > > change that, please? > > > > https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures > > > > I have done that in dnsmasq for a test. It is nice, but parameters of > > sqv are a bit different. > > > > https://src.fedoraproject.org/rpms/dnsmasq/pull-request/24 > > > > I think sqv should be officially allowed, unless there exist well > > specified reason why not. > > Do you envisage different packages using different verification tools? I > don't think that flies well. > > I do not read the guidelines as requiring that gpgverify needs to be > *that* gpgverify, only: > > ``` > The verification MUST be done with the macro %{gpgverify}, which expands into > a command whose parameters shall be the pathnames of the keyring, the > signature and the signed file. BuildRequires: gpgverify is necessary for the > verification to work. > ``` > > sqv's purpose is not being a drop-in replacement. That purpose is served > by `gpgv-sq` from `sequoia-chameleon-gnupg`. `gpgverify` from the same > named package wraps `gpgv` and could simply wrap `gpgv-sq` instead, or > `sqv`. That way no package needs to change, assuming existing signatures > are "v4 or below". > > Alternatively, the gpgverify macro could call `sqv` directly, keeping > the macro call signature as is. > > I mean, if we use sq for rpm signatures we can use it for source tarball > checks by default, can't we? >
It makes more sense to change gpgverify's defaults and add a flag to allow using GnuPG for packages that wind up with LibrePGP signatures. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
