On Tue, 2016-03-22 at 18:01 +0100, Björn Persson wrote:
Because technically, verifying a tarball that the packager uploaded,
with a signature that the packager uploaded, against a key that the
packager uploaded, that doesn't really add anything compared to the
packager verifying the signature before they upload the tarball.
... every time.
You're right, it doesn't really add anything. But it's free, and it's a
belt-and-braces system. Whatever might corrupt a tarball between the
original download and the RPM build, the check in %prep would catch it.
Assuming the signing key isn't *also* compromised, of course. But
there's a fairly large class of problems that *would* be caught. For
almost no effort.
--
David Woodhouse Open Source Technology Centre
David.Woodhouse(a)intel.com Intel Corporation