GPG verification in SPECs
Brian C. Lane
bcl at redhat.com
Wed Jul 10 22:01:07 UTC 2013
On Mon, Jul 08, 2013 at 11:15:05PM +0200, Till Maas wrote:
> Hi,
>
> upstream of pam_mount pointed me to OpenSUSE's gpg-offline RPM macros at
> https://build.opensuse.org/package/show/Base:System/gpg-offline
>
> They allow to use a keyring and detached signature as additional source
> in SPECs to get both verified. Since gpg-offline's upstream is willing
> to create a proper release to allow easy packaging for Fedora, I wonder
> if I will find any obstacles when I package it. The packaging guidelines
> allow packaging RPM macros, therefore this should be fine.
>
> Also I am interested whether there are better options available.
In parted we have a signed upstream package and a detached signature. In
the pkg git we have the signer's public key and in %prep it runs gpg.
Source0: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz
Source1: ftp://ftp.gnu.org/gnu/%{name}/%{name}-%{version}.tar.xz.sig
Source2: pubkey.jim.meyering
gpg --import %{SOURCE2}
gpg --verify %{SOURCE1} %{SOURCE0}
What does gpg-offline add to this?
--
Brian C. Lane | Anaconda Team | IRC: bcl #anaconda | Port Orchard, WA (PST8PDT)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130710/190899b7/attachment.sig>
More information about the devel
mailing list