[Rpm-maint] [rpm-software-management/rpm] RFE: automatically sign packages on build (Issue #2678)
Marek Marczykowski-Górecki
notifications at github.com
Tue Feb 18 12:17:09 UTC 2025
marmarek left a comment (rpm-software-management/rpm#2678)
The current approach looks okay, but I'll voice my concern in case it would be changed in a later iteration: avoid automatic key generation, and even more avoid automatically importing that key as trusted by rpm. This could easily result in the private key (already trusted by rpm there) leaking if somebody is not aware of all the details - for example by pushing a container to some registry where an rpm was built as part of the container build process.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2678#issuecomment-2665539153
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2678/2665539153 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250218/d9205434/attachment.htm>
More information about the Rpm-maint
mailing list