GPG signatures for Varnish 4.1 respository

James Boyle jboyle at
Fri Aug 24 20:40:04 UTC 2018


I was wondering if the Varnish maintainers would consider adding GPG
signatures to the packages in the Varnish 4.1 repository
( It would
increase the level of confidence that those packages have not been
tampered with since being built. For custom repositories I maintain, it
is as simple as running the following in the appropriate directory after
the build process is complete, though, admittedly, I'm unfamiliar with
the build process in use on your side.

rpmsign -D '_gpg_name jboyle at' --addsign *.rpm

Also, I contacted the folks at first -- they recommended
I share that they also have some support for GPG (public) keys.  They
gave me this link:

However, I'd most like to have signatures embedded in the packages so I
can set gpgcheck=1 in my yum repository configuration.

Thank you!

More information about the varnish-misc mailing list