On Wed, Mar 30, 2016 at 11:38:28AM -0500, Michael Catanzaro wrote:
On Wed, 2016-03-30 at 15:57 +0000, Ralf Senderek wrote:
> It cannot be automated, because it relies on using the correct public
> key, which always has to be checked manually by the packager
> (including the use of gpg).
I mean, after the packager manually configures signature checking the
first time, then it can and should work automatically for package
updates until the public key changes.
The way I understand the planned implementation, the keyring would be
added as Source2, the signature as Source1, and in %prep a single-line-macro
would be used to verify Source0 with Source1 using Source2.
I.e., the manual step would be adding of the keyring as Source2 and
checking it at that time.
Zbyszek