On Wed, Mar 30, 2016 at 11:38:28AM -0500, Michael Catanzaro wrote: > On Wed, 2016-03-30 at 15:57 +0000, Ralf Senderek wrote: > > It cannot be automated, because it relies on using the correct public > > key, which always has to be checked manually by the packager > > (including the use of gpg). > > I mean, after the packager manually configures signature checking the > first time, then it can and should work automatically for package > updates until the public key changes.
The way I understand the planned implementation, the keyring would be added as Source2, the signature as Source1, and in %prep a single-line-macro would be used to verify Source0 with Source1 using Source2. I.e., the manual step would be adding of the keyring as Source2 and checking it at that time. Zbyszek -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
