On Fri, May 23, 2014 at 06:31:01PM +0200, Benedikt Wildenhain wrote:
I am using the Debian-packages build for ownCloud, which are available at http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/.
They are only self-signed
A signature can't be self-signed, so are you talking about the "Release.key" pubkey file that is also in the repository?
(besides an signature by 6B9D6523, openSUSE Build Service <buildservice@opensuse.org>, which expired in 2008)
We don't put an expiry date in the openSUSE Build Service signature, so are you talking about the openSUSE Build Service pubkey? If yes, where did you get it from?
using http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/..., so it is not possible to check its validity using OpenPGP's web of trust. Would it be possible to provide verifiable repositories keys, either by signing them or by providing them via https?
The pubkey are signed by the openSUSE Build Service key, right? It would indeed be nice if download.opensuse.org also provided https. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org