Vitaly Zaitsev via devel wrote: > On 29/11/2022 09:24, Bob Hepple wrote: >> "... Arch supports signed git tags. I'm hoping Fedora does too. > > On Fedora you must upload source tarball, its signature and public key to > the Fedora look-aside cache
A minor expansion on that; the public key / upstream keyring
must be be stored in dist-git rather than in the lookaside
cache, per the guidelines:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures
Any detached signature file (e.g. foo.tar.gz.asc or
foo.tar.gz.sig) must be uploaded to the package
lookaside cache alongside the source code, while the
keyring must be committed directly to the package SCM.
One of reasons being that it's (at least slightly) easier to
notice a change to the public key / keyring when it's in
dist-git versus the lookaside cache.
--
Todd
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
