Mailinglist Archive: opensuse-buildservice (140 mails)

< Previous Next >
Re: [opensuse-buildservice] adding checksums to the buildinfo
On Wed, Jul 18, 2012 at 11:57:52AM -0300, Claudio Freire wrote:
On Wed, Jul 18, 2012 at 2:28 AM, Adrian Schröter <adrian@xxxxxxx> wrote:
The user doesn't verify if the received pubkey is a "correct"/expected
key. That is the performed gpg check is just some kind of integrity check
(we do not verify authenticity - just that the package was signed with
"some" key (which is delivered by the api)).

Right, but the api is verified via the SSL certificate. So you trust the
server that it hands you the right key for the project.

Is it?

I don't remember setting up CA trust when connecting to my private OBS
instance, and I would imagine I would have to in order to have osc
validate the certificate.

It would be really nice if osc did validate, I would applaud that :)

It does.

If your https is already signed with a valid CA then the query will not show up.

Of course you need to interface with "https://...."; as API url.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups