On Wed, Jul 18, 2012 at 2:28 AM, Adrian Schröter
The user doesn't verify if the received pubkey is a "correct"/expected key. That is the performed gpg check is just some kind of integrity check (we do not verify authenticity - just that the package was signed with "some" key (which is delivered by the api)).
Right, but the api is verified via the SSL certificate. So you trust the server that it hands you the right key for the project.
Is it? I don't remember setting up CA trust when connecting to my private OBS instance, and I would imagine I would have to in order to have osc validate the certificate. It would be really nice if osc did validate, I would applaud that :) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org