ktdreyer
commented
6 years ago Somewhat related, we could use a more basic check that rpm-sign has generated any content at all: https://github.com/alfredodeza/merfi/issues/58
Open ktdreyer opened 7 years ago
ktdreyer
commented
6 years ago Somewhat related, we could use a more basic check that rpm-sign has generated any content at all: https://github.com/alfredodeza/merfi/issues/58
merfi rpm-signcan optionally take a public key file (--keyfile). When this arg is present, merfi will copy the public key file asrelease.ascinto the root of every discovered Debian repo.There is nothing that sanity checks that this GPG public key matches the signatures that
rpm-signgenerated. An operator could accidentally pick the wrong GPG pubkey that does not match--key. Currently the QE team is our only hope for catching this.Ideally merfi should be able to automatically validate each signature against the
--keyfileand ensure that the public key does in fact match the private key that generated the signatures.