Stanislav Brabec wrote:
I wrote a simple tool that provides build time GPG signature verification. It could prevent need for tarball contents verification and still being safe. Submit reviewers will just review changes in the spec files and patches, and especially verifies, that GPG verification command is not removed without rationale. [...]
IIUC there's a central "database" of known keys in a package. That makes it harder to introduce new packages or use the same mechanism for 3rd party packages I think. So it might be better to store the known keys also in the packages itself. Reviewers just have to make sure that the known keys are not changed.
Usage in packages would be straightforward:
BuildRequires: gpg-upstream-keys
%prep %gpg_verify %{S:1} %setup -q
I wonder whether this could be integrated in rpm directly. Something like Keys: keys.asc Source0: http://www.foo.bar/%name-%version.tar.bz2 Signature0: http://www.foo.bar/%name-%version.tar.bz2.asc Then rpm (or the download_url servie) could check the signatures automatically. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org