Thanks for the response.
Micha![SRVE0190E - IBM WebSphere logo]()
el Zhang
Software Developer Test (WAS Install Team)
----- Original message -----
From: Tom Hughes <t...@compton.nu>
To: Development discussions related to Fedora <devel@lists.fedoraproject.org>, Michael Zhang <michael.zh...@ibm.com>
Cc:
Subject: Re: Fedora GPG signing/verifying question
Date: Thu, Mar 28, 2019 12:27 PM
On 28/03/2019 16:24, Michael Zhang wrote:
> When publishing, does Fedora:
> a) rebuild a maintainer's package from source and gpg sign it with
> their own fedora gpg key
> (ex. /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-11-primary)
> OR:
> b) publish the package that the maintainer personally compiled and
> gpg signed with their personal key?
>
> If the answer is b), why do we import a Fedora public key to verify
> packages/rpms?
The first - all packages are built from source in koji and then
signed with the Fedora key.
Tom
--
Tom Hughes (t...@compton.nu)
http://compton.nu/
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
