On Tue, 2016-03-22 at 18:29 +0100, Till Maas wrote:
I already meant to file this feature request after discussing this
with
Werner Koch, so here it is and hopefully it will really be implemented:
https://bugs.gnupg.org/gnupg/issue2290
Excellent; thank you. And in the meantime it's possible just to
gpg2 --dearmor $KEY.asc
gpgv2 --keyring $KEY.asc.gpg %{SOURCE1} ${SOURCE0}
> The original draft does raise an interesting question — do we
need to
> put the upstream PGP key directly into the package git tree instead of
> the lookaside cache?
IMHO this makes it easier to manage, since one can just use fedpkg
new-sources for the new tarball and signature without making sure that
the key stays in the sources file.
And less chance of the key being changed.
--
dwmw2