Mailinglist Archive: opensuse-buildservice (314 mails)

< Previous Next >
Re: [opensuse-buildservice] osc build & sign keys
  • From: Marcus Rueckert <darix@xxxxxxxxx>
  • Date: Sat, 26 Jan 2008 16:58:59 +0100
  • Message-id: <20080126155859.GP31080@xxxxxxxxxxxxxxxxxxxxxxx>
On 2008-01-26 09:16:55 +0100, Susanne Oberhauser wrote:
Marcus Rueckert <darix@xxxxxxxxx> writes:
rpm does not support multiple sigs on one rpm.

a) I wouldn't put bets on that (I think it does, maybe buggy on and
off, but you can add multiple signatures and installation will
succeede if one of the key is in /bin/rpm's keyring)

rpm --addsign (from the manpage)
"Both of the --addsign and --resign options generate and insert new
signatures for each package PACKAGE_FILE given, replacing any existing
signatures. There are two options for historical reasons, there is no
difference in behavior currently."

But hinking through it, alternatively, as rpm does support multiple
signatures on the same package, would it be ok if aggregaton adds a
blessing to the package and it gets dual signed in both repos? So I
think the following would do the trick too:

I alternatively propose that aggregation means blessing of a
package, so the package will be signed with the original repo's key
as well as with the aggregating repo's key.

In addition to maintaining 'hardlinkability' I think the semantics
are ok: you'd never aggregate a package that you don't trust. And
the other way 'round the additional signature in the other
repository won't harm, AFAICT it's sufficient to trust one of the
signatures to get a package installed so the aggregating signature
doesn't change anything.

i am pretty sure it does not support multiple keys.


openSUSE - SUSE Linux is my linux
openSUSE is good for you
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups