merfi rpm-sign can optionally take a public key file (--keyfile). When this arg is present, merfi will copy the public key file as release.asc into the root of every discovered Debian repo.
There is nothing that sanity checks that this GPG public key matches the signatures that rpm-sign
generated. An operator could accidentally pick the wrong GPG pubkey that does not match --key. Currently the QE team is our only hope for catching this.
Ideally merfi should be able to automatically validate each signature against the --keyfile and ensure that the public key does in fact match the private key that generated the signatures.
merfi rpm-sign
can optionally take a public key file (--keyfile
). When this arg is present, merfi will copy the public key file asrelease.asc
into the root of every discovered Debian repo.There is nothing that sanity checks that this GPG public key matches the signatures that
rpm-sign
generated. An operator could accidentally pick the wrong GPG pubkey that does not match--key
. Currently the QE team is our only hope for catching this.Ideally merfi should be able to automatically validate each signature against the
--keyfile
and ensure that the public key does in fact match the private key that generated the signatures.