On Thu, Jul 25, 2019 at 12:46:11PM +0200, Björn Persson wrote:
Joe Orton wrote:
> We'd put the set of trusted GPG keys in the repository alongside the
> spec file, using some standard filename, and the build system would try
> check the .asc against the keys when downloading (or uploading? I can't
> remember) a new tarball. This would ensure the tarball uploaded to the
> lookaside cache was trusted.
If you can implement that in such a way that the packager can't neglect
to verify the signature, then that might also work for Fedora's needs.
You'll have to think hard about how the code will know which source
file to verify against which signature in all possible situations.
You talk like this is a hard problem but it was implemented that way for
the first N years of Fedora - possibly when the infrastructure was only
internal to Red Hat, I don't remember. It just got thrown away with the
move to git & fedpkg.
It worked from Makefiles but a fedpkg equivalent would be something
like:
fedpkg download => worked like spectool -g specfile.spec
but also fetched ${tarball}.asc
fedpkg upload X =>
if ./gpgkeys exists:
enforce verification of ${tarball} against ${tarball}.asc using ./gpgkeys
actually upload X and update sources