On Wed, Jun 19, 2013 at 02:42:28PM +0200, Jan Engelhardt wrote:
On Wednesday 2013-06-19 09:07, Marcus Meissner wrote:
If it is not checked at build time, how is one supposed to know that the data committed to the srcserver is actually untampered.. A question for all the verification promoters ;-)
After talking with coolo I now implemented a check also in the obs-service-source_validator
- It looks for *.keyring files and imports them. - If found, it looks for *.sig and *.asc files and verifies them.
Please do support transparent decompression, for the case of
linux-3.9.6.tar.sig linux-3.9.6.tar.xz
Here, the archive needs to be decompressed before gpg is willing to verify the signature.
Unless I am allowed to rewrite this in perl instead of bash... Probably not. Also we should not do recompression of tarballs. :/ Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org