Hi, when building RPMs in OBS, each of them is signed with a private key that is kept somewhere in the OBS infrastructure. But it occurred to me, that this might not actually be needed because we sign repository metadata using the same keys and that metadata contains hashes of files, so those are already protected against malicious modification. Are there tools, processes or people using those sigs on individual rpms? The background is, that when trying to reproduce a build to verify that it is bit-by-bit identical to what was published before, we can only compare parts of it, because the signature and its timestamp will always be different. We could try to strip such information that is known-to-vary but it also has some appeal to get completely identical results. Ciao Bernhard M. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org