stevedlawrence opened a new pull request #333: Embed a signature into release RPMs URL: https://github.com/apache/incubator-daffodil/pull/333 Although we provide signatures and SHAs for all release sources and binary helpers, it is possible to embed a signature in an RPM so that it can be verified upon installation. This is a nice added layer of verification that we should include. The sbt-native-packager plugin we use to build RPMs does not support embedding signatures, but it is easy enough to manually add a signature after the RPM is built via the rpmsign tool. This patch modifies the release candidate container to use that tool to embed a signature with the same GPG key used to create all other signatures. A side effect of this is that users installing the RPM will get a warning if they do not import the Daffodil GPG keys, but that can be done by running: rpm --import https://downloads.apache.org/incubator/daffodil/KEYS Also fix a typo and modify README to set a hostname. The build hostname is included in the RPM so we want this to be consistent and not a random container ID as is the case by default. DAFFODIL-2294
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
