Enable the ability to sign repository metadata so consumers can verify the integrity of a given repository via dnf with repo_gpgcheck in their configs.
Note that if this is done, it adds another race condition to updates from clients. Current Fedora RPM updates are already massively racy because only one RPM version is kept.
But having both repomd.xml and repomd.xml.asc means two files, which introduces another race. Debian went through the same issue and recently changed to doing signatures inline: http://www.chiark.greenend.org.uk/~cjwatson/blog/no-more-hash-sum-mismatch-errors.html
repomd.xml
repomd.xml.asc
A while ago I was advocating for this but I no longer do so. Instead I suggest doing "pinned TLS" to a centralized metadata server, and use mirrors for content. See also https://fedorahosted.org/fedora-infrastructure/ticket/5372
Metadata Update from @ausil: - Issue untagged with: meeting - Issue tagged with: f27
Metadata Update from @ausil: - Issue assigned to rhartman
this is actually a dup of #1501 I am in the process of moving that to taiga for grooming and injection into the priority pipeline
Metadata Update from @ausil: - Issue close_status updated to: Duplicate - Issue status updated to: Closed (was: Open)
https://taiga.fedorainfracloud.org/project/acarter-fedora-docker-atomic-tooling/us/799?kanban-status=145
By the way, I've opened https://github.com/rpm-software-management/librepo/issues/237 to see about inline signing repomd.xml content.
Log in to comment on this ticket.