On Montag, 28. November 2016, 09:34:04 CET wrote Mathias Homann:
Am Montag, 28. November 2016, 05:40:54 CET schrieb
Bernhard M. Wiedemann:
when building RPMs in OBS, each of them is signed with a private key
that is kept somewhere in the OBS infrastructure.
But it occurred to me, that this might not actually be needed because we
sign repository metadata using the same keys and that metadata contains
hashes of files, so those are already protected against malicious
Are there tools, processes or people using those sigs on individual rpms?
Yup, rpm itself does. It can be set to refuse unsigned RPMs.
You can also check against the digital signature when verifying packages.
Lastly, people can always manually download and install packages without
adding the repositories.
and osc does. It downloads rpm which may not even pubished at that point of
time and validates it (at least when not building in a safe env like kvm)
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG
To unsubscribe, e-mail: opensuse-packaging+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-packaging+owner(a)opensuse.org