I build my RPMs on one system but GPG sign them on another, which seems to work fine with the rpmsign command. I was just wondering: is it customary to sign just the source RPM, or both the source and binary RPMs? Does it hurt anything to sign both?
On Apr 23, 2012 2:51 PM, "Christopher Howard" < christopher.howard@frigidcode.com> wrote:
I build my RPMs on one system but GPG sign them on another, which seems to work fine with the rpmsign command. I was just wondering: is it customary to sign just the source RPM, or both the source and binary RPMs? Does it hurt anything to sign both?
I sign both srpm and rpm as myself (the packager).
they get re-signed with the deployment key when it's copied to the yum server.
hth, -paul
packaging@lists.fedoraproject.org