 |
Hello, thank you for the report. Users have pointed this out in the past when we released Rocky Linux 9. The reason why there is currently no CHECKSUM.sig file is due to how our new build system works with "keykeeper", the component that signs artifacts such as RPM's. Because of the way it is designed, we cannot use it to sign arbitrary files, only RPM packages. With Rocky Linux 8, we were able to use (what we now call the legacy) build system there to sign arbitrary files using sigul. This is not neglect of GPG; it just comes down to how our new build system and thus signing infrastructure was designed. As an aside, checksums can also be found here, where the commits must be GPG signed. While this is not a perfect solution and we're aiming to have it backed by automation and a key outside of the RPM signing (to keep it from being manual), it was provided to ease concerns from other users about having checksums just at our tier 0 and nowhere else. https://github.com/rocky-linux/checksums |
- Anonymous
