<p><br>
On Apr 23, 2012 2:51 PM, "Christopher Howard" <<a href="mailto:christopher.howard@frigidcode.com">christopher.howard@frigidcode.com</a>> wrote:<br>
><br>
> I build my RPMs on one system but GPG sign them on another, which seems<br>
> to work fine with the rpmsign command. I was just wondering: is it<br>
> customary to sign just the source RPM, or both the source and binary<br>
> RPMs? Does it hurt anything to sign both?<br></p>
<p>I sign both srpm and rpm as myself (the packager). </p>
<p>they get re-signed with the deployment key when it's copied to the yum server. </p>
<p>hth, <br>
-paul</p>