[Rpm-maint] [rpm-software-management/rpm] Document using Sequoia for signing (Issue #3248)

[Neal H. Walfield]

> We should at least document this, 

I think documenting how to sign with `sq` is a great idea in particular given that [`sq` will be shipped with RHEL 10](https://bugzilla.redhat.com/show_bug.cgi?id=2305965).

> A key difference to gpg is the keyid (pun not entirely unintentional): where gpg takes a rather freeform string and tries to match it to a key, Sequoia requires an exact keyid or fingerprint.

I would say that this limitation is a "feature."  It would be annoying if someone specified their email address, later inadvertently imported a key with the same address, and the wrong key was used when signing a package.  It's probably not a security issue, but it would be a bit annoying to debug.

> We should at least document this, but also have a look at making our signing more tool-agnostic.  Several error messages hardwire "gpg" even if configured to do something else.

Yeah, I agree that would be good.

@pmatilai: I'm not sure what other input might be useful.  So, if you are looking for something else, please ask :).


-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3248#issuecomment-2298749375
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3248/2298749375 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240820/c6ba00bd/attachment.html>