I build my RPMs on one system but GPG sign them on another, which seems
to work fine with the rpmsign command. I was just wondering: is it
customary to sign just the source RPM, or both the source and binary
RPMs? Does it hurt anything to sign both?