Harbour app rpms to be signed by a dedicated key

asked 2013-12-30 18:27:37 +0200

AL13N gravatar image

updated 2014-03-23 11:32:38 +0200

As talked about here, it appears that the signing of harbour app rpms is left to the app provider.

Better would be that when the QA/QC/test team acknowledges it, that the rpm is automatically signed by a special harbour-app only key.

Possibly a warning could be shown if rpm installs are attempted without key or with a bad key.

Edit: Since there's an "untrusted software" option, it should just force to fail installing rpm if the signature is missing.

edit retag flag offensive close delete



I think having the developpers key is important to identify him. But I like your suggestion, I would say a better choice would be to generate keys for each accepted developper (which only harbour has access to) and have those keys be childs of a Harbour Master Key!

dsilveira ( 2014-03-23 17:08:58 +0200 )edit

What one generally does is that the dev signs the package they submit, the distributor checks to sig for validity and if valid re-signs (rpmsign --resign), in this case with e.g. a HarbourReleaseKey2015.

pcfe ( 2015-09-25 13:11:03 +0200 )edit