drago01 wrote:
> As for the GPG signature ... can't the drpm itself be signed?
If the metadata is getting signed, it basically is already. The metadata
contains a checksum of the DRPM, so if the metadata passes the signature
check and the DRPM matches the checksum, the DRPM's integrity and
uncompromisedness is verified. So I think it's safe to disable the checksum
check for the rebuilt RPMs entirely.
Kevin Kofler
--
fedora-devel-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/fedora-devel-list
