[rb-general] [jvm] How to share rebuilder attestations
Arnout Engelen
arnout at bzzt.net
Mon Jan 7 12:18:54 CET 2019
On Mon, Jan 7, 2019 at 9:27 AM Hervé Boutemy <hboutemy at apache.org> wrote:
> <snip>
Agreed with basically everything above ;)
> > - What exactly gets PGP-signed? (The binary artifact? The buildinfo?
> > If the latter, how does one then establish trust in the binary
> > artifact?)
> good question:
> the rebuilders's buildinfo, for sure, gets signed by the rebuilder
> Signing the binary artifact could make sense, but the workflow for that may
> not be easy...
> Signing the original buildinfo file to me does not really make sense: if we
> sign an existing file, IMHO it's better to go with the binary artifact
I agree the rebuilder should sign his own buildinfo.
Since the buildinfo contains the hashes of the binary artifacts, it doesn't
seem necessary to also sign the binary artifacts themselves
separately.
Kind regards,
Arnout
More information about the rb-general
mailing list