https://bugzilla.redhat.com/show_bug.cgi?id=2379742 --- Comment #5 from Ben Beasley <code@xxxxxxxxxxxxxxxxxx> --- (In reply to wojnilowicz from comment #4) > No problem. I cannot approve it though due to an issue with gpg. Details > below. Could you clarify? > > > [!]: Sources are verified with gpgverify first in %prep if upstream > publishes signatures. > Note: gpgverify is not used. > > You missed to verify the signature? Upstream uses gpg. As far as I can tell, upstream just signs commits, e.g. https://github.com/fastapilabs/fastapi-cloud-cli/commit/b963a0767f403e8b7c03ab1fad03a224b59c7bd3 for the 0.1.5 release. I know how to verify gpg signatures on source archives, like those at https://ftp.gnu.org/gnu/wdiff/; this is covered at https://docs.fedoraproject.org/en-US/packaging-guidelines/#_source_file_verification. I’m not aware of a way to use a signature on a git commit or tag to verify a source archive that purportedly corresponds to that commit or tag. As far as I know, it is impossible without using an actual git checkout as the source archive, which has a number of drawbacks. I’m not aware of any examples of anyone successfully doing this in Fedora. If you’re aware of something I missed, please let me know. > Could you look at https://bugzilla.redhat.com/show_bug.cgi?id=2392155 ? Sure, I’ve been meaning to get back to that. I’ll prioritize it. -- You are receiving this mail because: You are always notified about changes to this product and component You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2379742 Report this comment as SPAM: https://bugzilla.redhat.com/enter_bug.cgi?product=Bugzilla&format=report-spam&short_desc=Report%20of%20Bug%202379742%23c5 -- _______________________________________________ package-review mailing list -- package-review@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to package-review-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-review@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
