On 11/1/22 3:51 PM, Kevin Fenzi wrote: > On Tue, Nov 01, 2022 at 02:55:34PM -0700, Josh Stone wrote: >> On 11/1/22 11:16 AM, Neal Gompa wrote: >>> That said, the packages *are* signed in Koji, because as soon as it's >>> submitted to Bodhi, the packages are signed in-place in Koji. >> >> Is that really in-place? Bodhi says these are signed, but when I >> download from koji, "rpm -qip" still shows "Signature: (none)". > > If you download the direct build links you get unsigned copies. > > If you use something like: > > koji download-build --key=5323552a openssl-3.0.5-2.fc37 > > you get builds signed with the f37 key. > > Or you can look directly at: > https://kojipkgs.fedoraproject.org/packages/openssl/3.0.5/3.fc37/data/signed/5323552a/
It would be great to have that linked from Bodhi, perhaps on the Builds tab on the "Build signed" key icon for each package. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
