PackagingDrafts:GPGSignatures

Proposal to address concerns that the upstream source tarballs may get compromised at some point in time (including while in our SCM lookaside cache). UnrealIRCd is currently facing such a problem.


 * 1) Include the upstream source's tarball GPG signature file as a SourceN file in the spec.
 * 2) Include the upstream GPG public key as a SourceN file in the spec.
 * 3) Commit the upstream GPG public key to the SCM.  Do not copy it into the lookaside cache.  (Subject to debate).
 * 4) Commit the GPG signature file to the SCM.  Do not copy it into the lookaside cache.  (Subject to debate).
 * 5) Add capability to rpmbuild to import the GPG key and verify that the GPG signature matches.  rpmbuild cannot (and need not) validate GPG key ownership.
 * 6) Add capability to rpmlint to import the GPG key and verify that the GPG signature matches in the SRPM.  rpmlint cannot (and need not) validate GPG key ownership.