Hello,
we've got new section in Packaging Guidelines about verifying upstream sources[0] with GPG. Please use it whenever possible :)
Thanks!
[0] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_veri...
On Wed, Jul 24, 2019 at 11:15:26PM +0200, Igor Gnatenko wrote:
Hello,
we've got new section in Packaging Guidelines about verifying upstream sources[0] with GPG. Please use it whenever possible :)
Thanks!
[0] https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_veri...
It seems completely daft doing this at build time.
In the historic CVS-based build system which predated what we now use, we could do GPG key verification at the time of downloading and importing a new tarball. This makes FAR more sense to me than checking the signature on the same tarball every build.
We'd put the set of trusted GPG keys in the repository alongside the spec file, using some standard filename, and the build system would try check the .asc against the keys when downloading (or uploading? I can't remember) a new tarball. This would ensure the tarball uploaded to the lookaside cache was trusted.
Regards, Joe
"JO" == Joe Orton jorton@redhat.com writes:
JO> In the historic CVS-based build system which predated what we now JO> use, we could do GPG key verification at the time of downloading and JO> importing a new tarball.
You're right; tmz dug up a copy of the old Makefile.common file: https://tmz.fedorapeople.org/tmp/Makefile.common
I believe this is simply functionality that wasn't duplicated into fedpkg (or rpkg or whatever) when we stopped using Makefiles. It would certainly be useful to have it implemented and is worth someone opening a ticket.
And in any case, it's still perfectly valid to check signatures at package %prep time. Imagine I'm building from an srpm that I've unpacked, or have grabbed the spec and run spectool -g. Why not have the specfile check the signatures at that point? Doing it there doesn't preclude doing it at some other step as well, and it's not as if this is all that computationally expensive these days.
- J<
packaging@lists.fedoraproject.org