Mailinglist Archive: opensuse-buildservice (140 mails)

< Previous Next >
Re: [opensuse-buildservice] adding checksums to the buildinfo
  • From: Claudio Freire <klaussfreire@xxxxxxxxx>
  • Date: Wed, 18 Jul 2012 11:57:52 -0300
  • Message-id: <CAGTBQpZoEQ0fj=tXqiY9gBDYOx83qsKwmZO_TQPRc+qL7wA84Q@mail.gmail.com>
On Wed, Jul 18, 2012 at 2:28 AM, Adrian Schröter <adrian@xxxxxxx> wrote:
The user doesn't verify if the received pubkey is a "correct"/expected
key. That is the performed gpg check is just some kind of integrity check
(we do not verify authenticity - just that the package was signed with
"some" key (which is delivered by the api)).

Right, but the api is verified via the SSL certificate. So you trust the
server that it hands you the right key for the project.

Is it?

I don't remember setting up CA trust when connecting to my private OBS
instance, and I would imagine I would have to in order to have osc
validate the certificate.

It would be really nice if osc did validate, I would applaud that :)
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups