Hi,
I noticed that some packages in the devel repo in the Alma Linux vault server for Alma 8.6 have no GPG signature, yet the same package does have a signature for 8.7. Is there any specific reason for this?
An example of what I mean:
Alma 8.6 (no signature):
https://vault.almalinux.org/8.6/devel/x86_64/os/Packages/javapackages-filesystem-5.3.1-7.module_el8.3.0+2032+25f04681.noarch.rpm
Name : javapackages-filesystem
Version : 5.3.1
Release : 7.module_el8.3.0+2032+25f04681
Architecture: noarch
Install Date: (not installed)
Group : Unspecified
Size : 1932
License : BSD
Signature : (none)
Source RPM : javapackages-tools-5.3.1-7.module_el8.3.0+2032+25f04681.src.rpm
Build Date : Thu Feb 11 13:20:56 2021
...
Alma 8.7 (has signature):
https://vault.almalinux.org/8.7/devel/x86_64/os/Packages/javapackages-filesystem-5.3.1-7.module_el8.3.0+2032+25f04681.noarch.rpm
Name : javapackages-filesystem
Version : 5.3.1
Release : 7.module_el8.3.0+2032+25f04681
Architecture: noarch
Install Date: (not installed)
Group : Unspecified
Size : 1932
License : BSD
Signature : RSA/SHA256, Mon Apr 17 09:55:40 2023, Key ID 51d6647ec21ad6ea
Source RPM : javapackages-tools-5.3.1-7.module_el8.3.0+2032+25f04681.src.rpm
Build Date : Thu Feb 11 13:20:56 2021
...
I understand that these old package versions are just meant to be available for legacy / archive purposes and should not be used. I’m just curious as to why there is no GPG signature.