make public part of the signing key part of the delta calculation #39
Comments
|
another option would be that the OBS automatically re-signs all packages. though that would mean also injecting new pesign build jobs |
|
I assume the key is part of a tag from |
|
signing happens after the build is done at rep server level so the scheduler would need to pass the old and new pubkey as part of the buildjob data |
|
I think the old rpms are already signed, just the new build is not yet signed? If this is the case, the signing information needs special handling. |
|
And of course there has to be an API to inform build-compare about the to-be-used signing key, so it can actually compare the keys. |
|
maybe @mlschroe has some ideas for this issue. |
|
This is all you get with the existing rpm support: Without the |
|
The current key ID should be possible to derive from the project certificate which is available during build, there is some baroque code for this in the kernel package: https://github.com/openSUSE/kernel-source/blob/master/rpm/kernel-binary.spec.in#L57 It is not clear that the ID is the same, though. Needs checking. |
|
And the project certificate is not normally available, there is special spec file comment for that. |
reasoning:
if you have to recreate the signing key for a project the only way to rebuild all packages to get the signed with the new key is to disable build-compare. rebuild everything. enable build-compare again. a cleaner way would be that build-compare knows "oh we will sign this package with a new key" and let it go through.
without resigning everything. we will end up with packages signed by a now unknown sign key.
The text was updated successfully, but these errors were encountered: