b8b6619d39
Instead of verifying the gpg signature when pull from the actual remote source into the local cache, verify the commit when it is being pulled from the local cache into the output directory. This ensures that the signatures are checked against the provided keys even when the commit was already in the cache and at that time the key might have been different. NB: ostree expects the signature to be present on the remote at the *target* repository, i.e. in our case the output repository. The keys are therefore attached to a temporary remote that is created at the output repository with the same name/id that is used for the actual remote. |
||
|---|---|---|
| .. | ||
| org.osbuild.dnf | ||
| org.osbuild.files | ||
| org.osbuild.ostree | ||