Bug 2960 - sign our RPM packages
Summary: sign our RPM packages
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Build system (show other bugs)
Version: pre-1.0
Hardware: PC All
: P2 Enhancement
Target Milestone: MediumPrio
Assignee: Peter Åstrand
URL:
Keywords:
Depends on:
Blocks: 2958 2959 7637
  Show dependency treegraph
 
Reported: 2008-11-07 15:50 CET by Pierre Ossman
Modified: 2022-10-04 08:45 CEST (History)
0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio 2008-11-07 15:50:40 CET 
Most packages these days are signed using GPG so that the user can be sure that they are from a trusted source. We should probably do the same and publish the fingerprint on our home page.
Comment 1 Peter Åstrand cendio 2008-11-13 14:11:56 CET 
The PackageKit Error in Fedora 9 looks like this:

"Malicious software can damage your computer and cause other harm. Are you *sure* you want to install this package?"

Looks bad for ThinLinc, another reason to sign our packages.
Comment 4 Pierre Ossman cendio 2021-02-04 13:13:24 CET 
A big problem with this is how should the users trust the key? They'll have to download it the same way they downloaded the packages. So the level of trust should be the same.


However if the key keeps getting reused then only the first download needs to take extra steps to verify the key. After that the users can keep verifying upgrades as they know the key is trusted.

This requires us to keep using the same key for a long time though, which is unlike what distributions do who generally replace the keys for every version.
Note You need to log in before you can comment on or make changes to this bug.