miabbott reported a new issue against the project: `atomic-wg` that you are following:
``
It looks like the most recent F26AH release (26.120) has GPG verification turned on in the
remote config, but the older commits are not signed.
```
# cat /etc/ostree/remotes.d/fedora-atomic.conf
[remote "fedora-atomic"]
url=https://kojipkgs.fedoraproject.org/atomic/26/
gpg-verify=true
gpgkeypath=/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-primary
# rpm-ostree status
State: idle
Deployments:
● fedora-atomic:fedora/26/x86_64/atomic-host
Version: 26.120 (2017-09-05 00:05:09)
Commit:
0b0127864022dd6ffad1a183241fbd5482ef5a1642ff3c8751c2e6cae6070b1a
GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
# rpm-ostree deploy 26.119
Resolving version '26.119'
1 metadata, 0 content objects fetched; 569 B transferred in 1 seconds
error: Commit ec84d8b30ee5de761c19193717de54b2c33fd07e02b51a6b1855815c91f4e81a: GPG
verification enabled, but no signatures found (use gpg-verify=false in remote config to
disable)
```
Can we sign the older commits after the fact so users don't run into this?
``
To reply, visit the link below or just reply to this email
https://pagure.io/atomic-wg/issue/330