It doesn’t really matter what the file is called. Personally, I would rename it to oclock.gpg and add a brief spec file comment explaining where it came from.
On Sun, Apr 17, 2022, at 12:19 PM, Globe Trotter via devel wrote: > Btw, I assume that i should call it xfontsel.gpg, or should I rename it too? > > Thanks! > > > > > > > On Sunday, April 17, 2022, 10:50:37 AM CDT, Globe Trotter via devel > <devel@lists.fedoraproject.org> wrote: > > > > > > Thanks very much! I will do this today. > > > > > On Sunday, April 17, 2022, 09:12:15 AM CDT, Björn Persson > <bj...@xn--rombobjrn-67a.se> wrote: > > > > > > Ben Beasley wrote: > >> Please see >> https://src.fedoraproject.org/rpms/xfontsel/blob/a38f5a42fa7bc59378527cf05dabe29523675613/f/xfontsel.spec#_10 >> for an example from the same group of X11 programs. > > > What's described there is known as TOFU – trust on first use. Ben > looked up which key made the signature, downloaded that key and added it > to the Git repository. Initially this adds no security, as all that can > be verified is that the tarball was signed by whoever signed it. > > The value of TOFU comes when the same key is used to verify another > tarball. As long as the key in the Git repository remains unchanged, > the signature verification can prove that each new release of Xfontsel > is signed by the same person who signed the earlier releases. > > In this case I see that Oclock and Xfontsel are signed with the same > key. That seems quite legitimate as both tarballs are from www.x.org. > Instead of doing another, separate TOFU, you should copy Ben's > xfontsel.gpg from the xfontsel Git repository. That way your initial > Oclock package is not a first use of the key, but a second use, and > when you invoke gpgverify it will prove that the Oclock tarball was > signed by the same person who signed the Xfontsel tarball. > > Once you have the key, remember to pass all three parameters to > gpgverify: --keyring, --signature and --data. > > Björn Persson > > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
