stevedlawrence opened a new pull request, #8: URL: https://github.com/apache/daffodil-infrastructure/pull/8
- RPM maintains a separate keychain for public gpg keys. When building the check-release container, run rpm --import to import keys to that keychain - Modify a check-release message to make it more clear it is verifying embedded RPM signatures and not the detached .asc signatures - The rpm -K option succeeds even if the RPM does not have a gpg signature. To verify that a RPM both has an embedded gpg signature and that it is valid, we grep for the string "signatures OK"--this is only output if both conditions hold. - When checking reproducibility, we delete the signature embedded in RPMS. But this means if you run the script again that signure will be missing and signature verification will fail. To prevent this, we backup RPMs to a temporary directory prior to deleting signatures and then restore them when the reproducible build check is done DAFFODIL-2971 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
