Ben Beasley wrote: > Please compare with > https://src.fedoraproject.org/rpms/xfontsel/blob/rawhide/f/xfontsel.spec, > paying close attention to the comments in the spec file. SKS keyservers have > gone offline since that package obtained its keyring, so try using > hkps://keys.openpgp.org instead.
To elaborate on this, the procedure described in xfontsel.spec finds the key that was used to make the signature, so whoever made the signature becomes the trusted upstream. If you do that *once*, it's a form of trust on first use. It lets you discover future attacks as long as you continue using the same key, assuming that you got the right key to begin with. If you would repeat the key lookup every time you upgrade the package, then you would render the verification meaningless. You'd just be verifying that the tarball was signed by whoever signed the tarball. So don't do that. Björn Persson
pgpuxCuE5BI4x.pgp
Description: OpenPGP digital signatur
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
