2960 – sign our RPM packages

Bug 2960 - sign our RPM packages

Summary: sign our RPM packages

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Build system (show other bugs)

Target Milestone:	MediumPrio
Assignee:	Peter Åstrand

URL:
Keywords:

Depends on:
Blocks:	2958 2959 7637
	Show dependency tree / graph

Reported:	2008-11-07 15:50 CET by Pierre Ossman
Modified:	2022-10-04 08:45 CEST (History)
CC List:	0 users

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman cendio

2008-11-07 15:50:40 CET

Most packages these days are signed using GPG so that the user can be sure that they are from a trusted source. We should probably do the same and publish the fingerprint on our home page.

Comment 1 Peter Åstrand cendio

2008-11-13 14:11:56 CET

The PackageKit Error in Fedora 9 looks like this:

"Malicious software can damage your computer and cause other harm. Are you *sure* you want to install this package?"

Looks bad for ThinLinc, another reason to sign our packages.

Comment 4 Pierre Ossman cendio

2021-02-04 13:13:24 CET

A big problem with this is how should the users trust the key? They'll have to download it the same way they downloaded the packages. So the level of trust should be the same.


However if the key keeps getting reused then only the first download needs to take extra steps to verify the key. After that the users can keep verifying upgrades as they know the key is trusted.

This requires us to keep using the same key for a long time though, which is unlike what distributions do who generally replace the keys for every version.

Note You need to log in before you can comment on or make changes to this bug.