Bug 34204

Summary: rpmkeys lacks a method of obtaining the signature creation time
Product: Sisyphus Reporter: Dmitry V. Levin <ldv>
Component: rpmAssignee: placeholder <placeholder>
Status: NEW --- QA Contact: qa-sisyphus
Severity: enhancement    
Priority: P3 CC: at, glebfm, imz, ldv, placeholder, vseleznv, vt
Version: unstable   
Hardware: all   
OS: Linux   

Description Dmitry V. Levin 2017-11-16 08:20:08 MSK 
Old good rpm-4.0.4 used to have the following feature:

$ rpmsign -K --define '__gpg_verify_cmd %__gpg --batch --no-verbose --verify --status-fd=1 %__signature_filename %__plaintext_filename' \
vitmp-1.0-alt4.qa1.src.rpm | \
sed -n 's/^\[GNUPG:\] VALIDSIG [[:xdigit:]]\+ [^ ]\+ \([[:digit:]]\+\) .*/\1/p'
1366322522

An analogue is needed in the brand new rpm suite to implement SOURCE_DATE_EPOCH forwarding from signed srpm packages to hasher.
Comment 1 Dmitry V. Levin 2017-11-20 19:40:29 MSK 
Looks like we can follow a simpler route and just use buildtime of signed srpm packages to implement SOURCE_DATE_EPOCH support.