Am Montag, 28. November 2016, 05:40:54 CET schrieb Bernhard M. Wiedemann:
Hi,
when building RPMs in OBS, each of them is signed with a private key that is kept somewhere in the OBS infrastructure.
But it occurred to me, that this might not actually be needed because we sign repository metadata using the same keys and that metadata contains hashes of files, so those are already protected against malicious modification.
Are there tools, processes or people using those sigs on individual rpms?
Yup, rpm itself does. It can be set to refuse unsigned RPMs. You can also check against the digital signature when verifying packages. Lastly, people can always manually download and install packages without adding the repositories. Cheers Mathias -- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org