On Wednesday 2013-06-19 09:07, Marcus Meissner wrote:
If it is not checked at build time, how is one supposed to know that the data committed to the srcserver is actually untampered.. A question for all the verification promoters ;-)
After talking with coolo I now implemented a check also in the obs-service-source_validator
- It looks for *.keyring files and imports them. - If found, it looks for *.sig and *.asc files and verifies them.
Please do support transparent decompression, for the case of linux-3.9.6.tar.sig linux-3.9.6.tar.xz Here, the archive needs to be decompressed before gpg is willing to verify the signature. The same would be helpful to put down SHA checksums of the .tar in the _service file, rather than for the .tar.xz. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org