[Rpm-maint] [rpm-software-management/rpm] RFE: automatically sign packages on build (Issue #2678)

[Panu Matilainen]

Righty, I guess this is starting to take some shape finally. Up to now I've been thinking of autosigning on build if %_openpgp_sign_id (think old %_gpg_name) is set, but this is problematic in many ways: signing takes place after the build has completed, and the signing asks for a passphrase at the end of four hours of build... and if you happen to be around, and mistype the password, you basically lost the build for no good reason. This is a pretty terrible user experience in every way 😆

So I think the right thing to do is to have rpm always setup a passwordless, rpm-specific key that all completed builds are signed with. If the user wants to resign it with something else like their own personal key later, that's no different to what they'd be doing now, and no matter what your setup was, builds aren't disrupted by any silly password questions that really don't belong in the build stage in the first place. 

With that, we get verifiable packages out of the gate for the local builds use-case. Distros and such signing their packages is an entirely different case, that we're not disrupting with this AFAICS.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2678#issuecomment-2655712968
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2678/2655712968 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250212/ab77eb97/attachment.htm>