[libvirt] [libvirt-glib] spec: Add verification of the tarball GPG signature
Daniel P. Berrange
berrange at redhat.com
Thu Apr 14 14:34:10 UTC 2016
On Thu, Apr 14, 2016 at 04:31:15PM +0200, Christophe Fergeau wrote:
> Hi,
>
> On Thu, Apr 14, 2016 at 10:01:27AM -0400, Cole Robinson wrote:
> > On 04/14/2016 05:12 AM, Christophe Fergeau wrote:
> > > This at least allows to make sure that all tarballs are signed with the
> > > same GPG key, and that the tarball was not corrupted between the time it
> > > was uploaded upstream, and the time the RPM is built.
> > >
> > > danpb-BE86EBB415104FDF.gpg is generated with:
> > > gpg2 -v --armor --export 15104FDF | gpg2 --no-default-keyring --keyring ./danpb-BE86EBB415104FDF.gpg --import
> >
> > That file wasn't committed though, was it meant to be?
>
> I left it out on purpose as it's better if the packager gets the key for
> verification using its own channel. If it's in the tarball, then it
> could be modified at the same time as the tarball. If someone wants to
> directly use the .spec file from the source tarball in order to build
> libvirt-glib, this is indeed going to be an issue. I don't think this is
> what is commonly done, is it?
Yes, it is something we need to support - ie rpmbuild -ta <tarball>
should work
So in retrospect we need to make this conditional, defaulting to
off, and just change it to default to on in fedora / rhel formal
builds
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list