On Wed, Jul 18, 2012 at 11:57:52AM -0300, Claudio Freire wrote:
On Wed, Jul 18, 2012 at 2:28 AM, Adrian Schröter
wrote: The user doesn't verify if the received pubkey is a "correct"/expected key. That is the performed gpg check is just some kind of integrity check (we do not verify authenticity - just that the package was signed with "some" key (which is delivered by the api)).
Right, but the api is verified via the SSL certificate. So you trust the server that it hands you the right key for the project.
Is it?
I don't remember setting up CA trust when connecting to my private OBS instance, and I would imagine I would have to in order to have osc validate the certificate.
It would be really nice if osc did validate, I would applaud that :)
It does. If your https is already signed with a valid CA then the query will not show up. Of course you need to interface with "https://...." as API url. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org