Signing Foreman Plugin Packages


Just wondering why the packages in Foreman Plugins yum repo are not signed?



Perhaps someone in the @packaging team can answer this.

I think this is mostly for historical reasons but I’m not actually sure. Could have something to do with the fact that core releases are manually signed and have a clear release process. Plugins are somewhat async to that whole process.

We’re about to refactor the whole release process to use more automation and we should at least consider signing these, even if they use a separate GPG key.

1 Like