> @mlschroe Sadly, Fedora doesn’t sign its metadata.
We don't need to as we use metalinks. In the metalink is the checksum(s) for
the valid repomd.xml file. If someone tampers with the repodata it will not
match and the client will go on to the next one. But thats likely offtopic for
this issue
Great. Note that koji devs were thinking perhaps moving to detached sigs would
be the way to go... but thanks for looking at this.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/r
Ah, bummer. Are there any plans to implement this anytime soon?
Our use case is around Fedora branching time... if we could sign rpms with both
the F(n)+1 (rawhide) and F(n) (branched) keys we could hardlink them and handle
the change of keys in mock and such easier.
Of course this would need
The rpmsign man page says:
"Both of the --addsign and --resign options generate and insert new signatures
for each package PACKAGE_FILE given, replacing any existing signatures. There
are two options for historical reasons, there is no difference in behavior
currently."
But:
https://github