google / rpmpack

rpmpack (tar2rpm) - package rpms in pure golang or cli
Apache License 2.0
116 stars 32 forks source link

fix: ensure the rpm signature is properly validated #53

Closed djgilcrease closed 3 years ago

djgilcrease commented 3 years ago

fixes: https://github.com/goreleaser/nfpm/issues/265

It looks like yum & dnf try to verify the header signature as well even if it is not signed when pulling the rpm from a repo, but not when it is a local file.

jarondl commented 3 years ago

Thank you for the contribution!

I saw in goreleaser/nfpm#265 that this is going to be hard to reproduce in our tests, so we'll have to trust your tests.