On Tue, Dec 04, 2012 at 09:53:10AM +0100, Stephan Kulow wrote:
On 04.12.2012 09:26, Michal Vyskocil wrote:
On Mon, Dec 03, 2012 at 08:33:25PM +0100, Stanislav Brabec wrote:
Stanislav Brabec wrote:
I just implemented signature verification for all packages, that already contained signature and/or trusted keyring. But I did not verify, that signature submitted by packagers is the signature of the real author.
Just a hint for people, who got one of these request:
If you want to build package for older SUSE versions and don't want to link or aggregate gpg-offline to your devel projects nor use ugly prjconf trick, feel free to add %if statements to your spec file.
Example:
Source2. %{name}.keyring +%if 0%{?suse_version} > 1220 BuildRequires: gpg-offline +%endif
If we accept the verification is applied for Factory packages only, maybe coolo can call it from factory-auto scripts? Then we don't need to pollute BuildRequires and %prep - the downside is it won't work on devel projects, or in plain rpm as your approach.
CCying coolo: what do you thing?
This actually sounds like to be put in the source validator or a similiar source service that runs on checkin. And that I can then call from factory-auto
That's probably a good idea @sbrabec, can I ask for this change?
I agree that ugly %suse version %preps are not worth the extra felt security - especially as we do no checks about the keyring whatsoever.
I've emailed the HOWTO for a review team how to check keyrings. Therefor at least for a factory, all .keyring files will be reviewed by us. I'm afraid there is no easy way how to deal with it, unless someone else will review it manually. Regards Michal Vyskocil