Signing RPMs would require specific support in Autograph, as RPM signatures are embedded in the package structure rather than detached. This isn't a trivial addition and there's no readily available tool we could use to avoid it. The practical risk is limited: packages are served over HTTPS from a single origin (no mirrors), and the binaries within the packages are independently signed.
Bug 2009927 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Signing RPMs would require specific support in Autograph, as RPM signatures are embedded in the package structure rather than detached. This isn't a trivial addition and there's no readily available tool we could use to avoid it. The practical risk is limited: packages are served over HTTPS from a single origin (no mirrors).