On 08/02/18 17:45, Neal Gompa wrote: > Hey, > > I've been trying to get the CentOS SIG repositories enabled in the > openSUSE Build Service[1]. > > Today, I started working with Adrian Schröter (who is CC'd to this > email) on getting this done, and the issue right now is that there's > no way to securely validate the repodata. > > OBS supports two ways: > > 1. Validating repodata from a mirror using the copy on the master > server fetched through HTTPS. > > 2. Validating repodata through GPG-signed repodata (signed repomd.xml) > > While the base repositories do the latter, none of the repositories > produced through CBS do, and _nothing_ currently does the former. > > Is there something that can be done to make this better so we can have > nice things? > > Best regards, > Neal > > [1]: https://progress.opensuse.org/issues/29568 > As option [2] is already in place for base distro (but not all arches), maybe that's the way to do it for the other repositories (using different GPG keys too). @KB : is that something you can add in your script ? -- Fabian Arrotin The CentOS Project | https://www.centos.org gpg key: 56BEC54E | twitter: @arrfab -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20180212/c5a0d933/attachment-0008.sig>