On 2019-07-25, Björn Persson <Bjorn(a)xn--rombobjrn-67a.se> wrote:
Verifying the signature as part of the build ensures that packagers
don't forget to verify it.
Then it's a job for "fedpkg new-sources" or spectool, not for
rpmbuild.
> (4) Verification of modified archives conflicts with a legal
requirement
> that Fedora cannot distribute the unmodified archive.
If what you package is not what upstream released, then obviously you
can't verify it against upstream's signature. If you must remove
something for legal reasons, and you still want to verify the tarball,
then you can sign your modified tarball with your own key.
I misread the guidelines at this point. It requires verification in the
code that modifies the original archive.
-- Petr