Re: Keys/Signature use in OSTree/Flatpak/Flathub





On Fri, Oct 7, 2016, at 04:05 PM, Dan Nicholson wrote:

I think the point is that if you're doing anything nontrivial, then
you need to sign the summary file on the server.

Can you elaborate on that bit?

Since you can't
reliably mirror an ostree repo anywhere (cross your fingers with
rsync!), 

Hmm, are you referring to https://bugzilla.gnome.org/show_bug.cgi?id=765701
or something else?

that pretty much means that the private key needs to be
available on your public facing server.

Why?  What blocks you from signing on an internal
server and mirroring (via rsync or having the public
server do a pull from internal or whatever)



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]