Harbour app rpms to be signed by a dedicated key
asked 2013-12-30 18:27:37 +0200
As talked about here, it appears that the signing of harbour app rpms is left to the app provider.
Better would be that when the QA/QC/test team acknowledges it, that the rpm is automatically signed by a special harbour-app only key.
Possibly a warning could be shown if rpm installs are attempted without key or with a bad key.
Edit: Since there's an "untrusted software" option, it should just force to fail installing rpm if the signature is missing.
I think having the developpers key is important to identify him. But I like your suggestion, I would say a better choice would be to generate keys for each accepted developper (which only harbour has access to) and have those keys be childs of a Harbour Master Key!
dsilveira ( 2014-03-23 17:08:58 +0200 )editWhat one generally does is that the dev signs the package they submit, the distributor checks to sig for validity and if valid re-signs (rpmsign --resign), in this case with e.g. a HarbourReleaseKey2015.
pcfe ( 2015-09-25 13:11:03 +0200 )edit