On 11/1/22 3:51 PM, Kevin Fenzi wrote:
> On Tue, Nov 01, 2022 at 02:55:34PM -0700, Josh Stone wrote:
>> On 11/1/22 11:16 AM, Neal Gompa wrote:
>>> That said, the packages *are* signed in Koji, because as soon as it's
>>> submitted to Bodhi, the packages are signed in-place in Koji.
>>
>> Is that really in-place? Bodhi says these are signed, but when I
>> download from koji, "rpm -qip" still shows "Signature: (none)".
> 
> If you download the direct build links you get unsigned copies. 
> 
> If you use something like: 
> 
> koji download-build --key=5323552a openssl-3.0.5-2.fc37
> 
> you get builds signed with the f37 key. 
> 
> Or you can look directly at: 
> https://kojipkgs.fedoraproject.org/packages/openssl/3.0.5/3.fc37/data/signed/5323552a/

It would be great to have that linked from Bodhi, perhaps on the Builds
tab on the "Build signed" key icon for each package.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to